Audit fields

edit

The audit module reports security-relevant information based on data captured from the operating system (OS) or services running on the OS.

audit fields

edit

file fields

edit

The file metricset generates events when a file changes on disk.

audit.file.path

edit

type: text

The path to the file.

audit.file.path.raw

edit

type: keyword

The path to the file. This is an non-analyzed field that is useful for aggregations.

audit.file.target_path

edit

type: keyword

The target path for symlinks.

audit.file.action

edit

type: keyword

example: attributes_modified

Action describes the change that triggered the event. The possible values are: attributes_modified, created, deleted, updated, moved, and config_change.

audit.file.type

edit

type: keyword

The file type (file, dir, or symlink).

audit.file.inode

edit

type: keyword

The inode representing the file in the filesystem.

audit.file.uid

edit

type: keyword

The user ID (UID) of the file owner.

audit.file.owner

edit

type: keyword

The file owner’s username.

audit.file.gid

edit

type: keyword

The primary group ID (GID) of the file.

audit.file.group

edit

type: keyword

The primary group name of the file.

audit.file.sid

edit

type: keyword

The security identifier (SID) of the file owner (Windows only).

audit.file.mode

edit

type: keyword

example: 416

The mode of the file in octal representation.

audit.file.size

edit

type: long

The file size in bytes (field is only added when type is file).

audit.file.mtime

edit

type: date

The last modified time of the file (time when content was modified).

audit.file.ctime

edit

type: date

The last change time of the file (time when metadata was changed).

audit.file.hashed

edit

type: boolean

Boolean indicating if the event includes any file hashes.

audit.file.md5

edit

type: keyword

MD5 hash of the file.

audit.file.sha1

edit

type: keyword

SHA1 hash of the file.

audit.file.sha224

edit

type: keyword

SHA224 hash of the file.

audit.file.sha256

edit

type: keyword

SHA256 hash of the file.

audit.file.sha384

edit

type: keyword

SHA384 hash of the file.

audit.file.sha3_224

edit

type: keyword

SHA3_224 hash of the file.

audit.file.sha3_256

edit

type: keyword

SHA3_256 hash of the file.

audit.file.sha3_384

edit

type: keyword

SHA3_384 hash of the file.

audit.file.sha3_512

edit

type: keyword

SHA3_512 hash of the file.

audit.file.sha512

edit

type: keyword

SHA512 hash of the file.

audit.file.sha512_224

edit

type: keyword

SHA512/224 hash of the file.

audit.file.sha512_256

edit

type: keyword

SHA512/256 hash of the file.

kernel fields

edit

The kernel metricset distributes audit events received from the Linux Audit Framework that is a part of the Linux kernel.

audit.kernel.action

edit

type: keyword

example: logged-in

A description of the action taken by the user.

actor fields

edit

The actor is the user that triggered the audit event.

attrs fields

edit

Attributes of the actor.

audit.kernel.actor.attrs.auid

edit

type: keyword

login user ID

audit.kernel.actor.attrs.uid

edit

type: keyword

user ID

audit.kernel.actor.attrs.euid

edit

type: keyword

effective user ID

audit.kernel.actor.attrs.fsuid

edit

type: keyword

file system user ID

audit.kernel.actor.attrs.suid

edit

type: keyword

sent user ID

audit.kernel.actor.attrs.gid

edit

type: keyword

group ID

audit.kernel.actor.attrs.egid

edit

type: keyword

effective group ID

audit.kernel.actor.attrs.sgid

edit

type: keyword

set group ID

audit.kernel.actor.attrs.fsgid

edit

type: keyword

file system group ID

audit.kernel.actor.primary

edit

type: keyword

The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.

audit.kernel.actor.secondary

edit

type: keyword

The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su.

selinux fields

edit

The SELinux identity of the actor.

audit.kernel.actor.selinux.user

edit

type: keyword

account submitted for authentication

audit.kernel.actor.selinux.role

edit

type: keyword

user’s SELinux role

audit.kernel.actor.selinux.domain

edit

type: keyword

The actor’s SELinux domain or type.

audit.kernel.actor.selinux.level

edit

type: keyword

example: s0

The actor’s SELinux level.

audit.kernel.actor.selinux.category

edit

type: keyword

The actor’s SELinux category or compartments.

audit.kernel.category

edit

type: keyword

example: audit-rule

The event’s category is a value derived from the record_type.

audit.kernel.sequence

edit

type: long

The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.

audit.kernel.session

edit

type: keyword

The session ID assigned to a login. All events related to a login session will have the same value.

paths fields

edit

List of paths associated with the event.

audit.kernel.paths.inode

edit

type: keyword

inode number

audit.kernel.paths.dev

edit

type: keyword

device name as found in /dev

audit.kernel.paths.obj_user

edit

type: keyword

audit.kernel.paths.obj_role

edit

type: keyword

audit.kernel.paths.obj_domain

edit

type: keyword

audit.kernel.paths.obj_level

edit

type: keyword

audit.kernel.paths.objtype

edit

type: keyword

audit.kernel.paths.ouid

edit

type: keyword

file owner user ID

audit.kernel.paths.rdev

edit

type: keyword

the device identifier (special files only)

audit.kernel.paths.nametype

edit

type: keyword

kind of file operation being referenced

audit.kernel.paths.ogid

edit

type: keyword

file owner group ID

audit.kernel.paths.item

edit

type: keyword

which item is being recorded

audit.kernel.paths.mode

edit

type: keyword

mode flags on a file

audit.kernel.paths.name

edit

type: keyword

file name in avcs

audit.kernel.record_type

edit

type: keyword

The audit record’s type.

socket fields

edit

Socket data from sockaddr messages.

audit.kernel.socket.port

edit

type: keyword

The port number.

audit.kernel.socket.saddr

edit

type: keyword

The raw socket address structure.

audit.kernel.socket.addr

edit

type: keyword

The remote address.

audit.kernel.socket.family

edit

type: keyword

example: unix

The socket family (unix, ipv4, ipv6, netlink).

audit.kernel.socket.path

edit

type: keyword

This is the path associated with a unix socket.

thing fields

edit

This is the thing or object being acted upon in the event.

audit.kernel.thing.what

edit

type: keyword

A description of the what the "thing" is (e.g. file, socket, user-session).

audit.kernel.thing.primary

edit

type: keyword

audit.kernel.thing.secondary

edit

type: keyword

selinux fields

edit

The SELinux identity of the object.

audit.kernel.thing.selinux.user

edit

type: keyword

The owner of the object.

audit.kernel.thing.selinux.role

edit

type: keyword

The object’s SELinux role.

audit.kernel.thing.selinux.domain

edit

type: keyword

The object’s SELinux domain or type.

audit.kernel.thing.selinux.level

edit

type: keyword

example: s0

The object’s SELinux level.

audit.kernel.how

edit

type: keyword

This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.

audit.kernel.key

edit

type: keyword

The key assigned to the audit rule that triggered the event.

audit.kernel.result

edit

type: keyword

example: success or fail

The result of the audited operation (success/fail).

data fields

edit

The data from the audit messages.

audit.kernel.data.action

edit

type: keyword

netfilter packet disposition

audit.kernel.data.minor

edit

type: keyword

device minor number

audit.kernel.data.acct

edit

type: keyword

a user’s account name

audit.kernel.data.addr

edit

type: keyword

the remote address that the user is connecting from

audit.kernel.data.cipher

edit

type: keyword

name of crypto cipher selected

audit.kernel.data.id

edit

type: keyword

during account changes

audit.kernel.data.entries

edit

type: keyword

number of entries in the netfilter table

audit.kernel.data.kind

edit

type: keyword

server or client in crypto operation

audit.kernel.data.ksize

edit

type: keyword

key size for crypto operation

audit.kernel.data.spid

edit

type: keyword

sent process ID

audit.kernel.data.arch

edit

type: keyword

the elf architecture flags

audit.kernel.data.argc

edit

type: keyword

the number of arguments to an execve syscall

audit.kernel.data.major

edit

type: keyword

device major number

audit.kernel.data.unit

edit

type: keyword

systemd unit

audit.kernel.data.table

edit

type: keyword

netfilter table name

audit.kernel.data.terminal

edit

type: keyword

terminal name the user is running programs on

audit.kernel.data.comm

edit

type: keyword

command line program name

audit.kernel.data.exe

edit

type: keyword

executable name

audit.kernel.data.grantors

edit

type: keyword

pam modules approving the action

audit.kernel.data.pid

edit

type: keyword

process ID

audit.kernel.data.direction

edit

type: keyword

direction of crypto operation

audit.kernel.data.op

edit

type: keyword

the operation being performed that is audited

audit.kernel.data.tty

edit

type: keyword

tty udevice the user is running programs on

audit.kernel.data.proctitle

edit

type: keyword

process title and command line parameters

audit.kernel.data.syscall

edit

type: keyword

syscall number in effect when the event occurred

audit.kernel.data.data

edit

type: keyword

TTY text

audit.kernel.data.family

edit

type: keyword

netfilter protocol

audit.kernel.data.mac

edit

type: keyword

crypto MAC algorithm selected

audit.kernel.data.pfs

edit

type: keyword

perfect forward secrecy method

audit.kernel.data.items

edit

type: keyword

the number of path records in the event

audit.kernel.data.a0

edit

type: keyword

audit.kernel.data.a1

edit

type: keyword

audit.kernel.data.a2

edit

type: keyword

audit.kernel.data.a3

edit

type: keyword

audit.kernel.data.cwd

edit

type: keyword

the current working directory

audit.kernel.data.hostname

edit

type: keyword

the hostname that the user is connecting from

audit.kernel.data.lport

edit

type: keyword

local network port

audit.kernel.data.ppid

edit

type: keyword

parent process ID

audit.kernel.data.rport

edit

type: keyword

remote port number

audit.kernel.data.cmdline

edit

type: keyword

The full command line from the execve message.

audit.kernel.data.exit

edit

type: keyword

syscall exit code

audit.kernel.data.fp

edit

type: keyword

crypto key finger print

audit.kernel.data.laddr

edit

type: keyword

local network address

audit.kernel.data.sport

edit

type: keyword

local port number

audit.kernel.data.capability

edit

type: keyword

posix capabilities

audit.kernel.data.nargs

edit

type: keyword

the number of arguments to a socket call

audit.kernel.data.new-enabled

edit

type: keyword

new TTY audit enabled setting

audit.kernel.data.audit_backlog_limit

edit

type: keyword

audit system’s backlog queue size

audit.kernel.data.dir

edit

type: keyword

directory name

audit.kernel.data.cap_pe

edit

type: keyword

process effective capability map

audit.kernel.data.model

edit

type: keyword

security model being used for virt

audit.kernel.data.new_pp

edit

type: keyword

new process permitted capability map

audit.kernel.data.old-enabled

edit

type: keyword

present TTY audit enabled setting

audit.kernel.data.oauid

edit

type: keyword

object’s login user ID

audit.kernel.data.old

edit

type: keyword

old value

audit.kernel.data.banners

edit

type: keyword

banners used on printed page

audit.kernel.data.feature

edit

type: keyword

kernel feature being changed

audit.kernel.data.vm-ctx

edit

type: keyword

the vm’s context string

audit.kernel.data.opid

edit

type: keyword

object’s process ID

audit.kernel.data.seperms

edit

type: keyword

SELinux permissions being used

audit.kernel.data.seresult

edit

type: keyword

SELinux AVC decision granted/denied

audit.kernel.data.new-rng

edit

type: keyword

device name of rng being added from a vm

audit.kernel.data.old-net

edit

type: keyword

present MAC address assigned to vm

audit.kernel.data.sigev_signo

edit

type: keyword

signal number

audit.kernel.data.ino

edit

type: keyword

inode number

audit.kernel.data.old_enforcing

edit

type: keyword

old MAC enforcement status

audit.kernel.data.old-vcpu

edit

type: keyword

present number of CPU cores

audit.kernel.data.range

edit

type: keyword

user’s SE Linux range

audit.kernel.data.res

edit

type: keyword

result of the audited operation(success/fail)

audit.kernel.data.added

edit

type: keyword

number of new files detected

audit.kernel.data.fam

edit

type: keyword

socket address family

audit.kernel.data.nlnk-pid

edit

type: keyword

pid of netlink packet sender

audit.kernel.data.subj

edit

type: keyword

lspp subject’s context string

audit.kernel.data.a[0-3]

edit

type: keyword

the arguments to a syscall

audit.kernel.data.cgroup

edit

type: keyword

path to cgroup in sysfs

audit.kernel.data.kernel

edit

type: keyword

kernel’s version number

audit.kernel.data.ocomm

edit

type: keyword

object’s command line name

audit.kernel.data.new-net

edit

type: keyword

MAC address being assigned to vm

audit.kernel.data.permissive

edit

type: keyword

SELinux is in permissive mode

audit.kernel.data.class

edit

type: keyword

resource class assigned to vm

audit.kernel.data.compat

edit

type: keyword

is_compat_task result

audit.kernel.data.fi

edit

type: keyword

file assigned inherited capability map

audit.kernel.data.changed

edit

type: keyword

number of changed files

audit.kernel.data.msg

edit

type: keyword

the payload of the audit record

audit.kernel.data.dport

edit

type: keyword

remote port number

audit.kernel.data.new-seuser

edit

type: keyword

new SELinux user

audit.kernel.data.invalid_context

edit

type: keyword

SELinux context

audit.kernel.data.dmac

edit

type: keyword

remote MAC address

audit.kernel.data.ipx-net

edit

type: keyword

IPX network number

audit.kernel.data.iuid

edit

type: keyword

ipc object’s user ID

audit.kernel.data.macproto

edit

type: keyword

ethernet packet type ID field

audit.kernel.data.obj

edit

type: keyword

lspp object context string

audit.kernel.data.a[[:digit:]+]\[.*\]

edit

type: keyword

the arguments to the execve syscall

audit.kernel.data.ipid

edit

type: keyword

IP datagram fragment identifier

audit.kernel.data.new-fs

edit

type: keyword

file system being added to vm

audit.kernel.data.vm-pid

edit

type: keyword

vm’s process ID

audit.kernel.data.cap_pi

edit

type: keyword

process inherited capability map

audit.kernel.data.old-auid

edit

type: keyword

previous auid value

audit.kernel.data.oses

edit

type: keyword

object’s session ID

audit.kernel.data.fd

edit

type: keyword

file descriptor number

audit.kernel.data.igid

edit

type: keyword

ipc object’s group ID

audit.kernel.data.new-disk

edit

type: keyword

disk being added to vm

audit.kernel.data.parent

edit

type: keyword

the inode number of the parent file

audit.kernel.data.len

edit

type: keyword

length

audit.kernel.data.oflag

edit

type: keyword

open syscall flags

audit.kernel.data.uuid

edit

type: keyword

a UUID

audit.kernel.data.code

edit

type: keyword

seccomp action code

audit.kernel.data.nlnk-grp

edit

type: keyword

netlink group number

audit.kernel.data.cap_fp

edit

type: keyword

file permitted capability map

audit.kernel.data.new-mem

edit

type: keyword

new amount of memory in KB

audit.kernel.data.seperm

edit

type: keyword

SELinux permission being decided on

audit.kernel.data.enforcing

edit

type: keyword

new MAC enforcement status

audit.kernel.data.new-chardev

edit

type: keyword

new character device being assigned to vm

audit.kernel.data.old-rng

edit

type: keyword

device name of rng being removed from a vm

audit.kernel.data.outif

edit

type: keyword

out interface number

audit.kernel.data.cmd

edit

type: keyword

command being executed

audit.kernel.data.hook

edit

type: keyword

netfilter hook that packet came from

audit.kernel.data.new-level

edit

type: keyword

new run level

audit.kernel.data.sauid

edit

type: keyword

sent login user ID

audit.kernel.data.sig

edit

type: keyword

signal number

audit.kernel.data.audit_backlog_wait_time

edit

type: keyword

audit system’s backlog wait time

audit.kernel.data.printer

edit

type: keyword

printer name

audit.kernel.data.old-mem

edit

type: keyword

present amount of memory in KB

audit.kernel.data.perm

edit

type: keyword

the file permission being used

audit.kernel.data.old_pi

edit

type: keyword

old process inherited capability map

audit.kernel.data.state

edit

type: keyword

audit daemon configuration resulting state

audit.kernel.data.format

edit

type: keyword

audit log’s format

audit.kernel.data.new_gid

edit

type: keyword

new group ID being assigned

audit.kernel.data.tcontext

edit

type: keyword

the target’s or object’s context string

audit.kernel.data.maj

edit

type: keyword

device major number

audit.kernel.data.watch

edit

type: keyword

file name in a watch record

audit.kernel.data.device

edit

type: keyword

device name

audit.kernel.data.grp

edit

type: keyword

group name

audit.kernel.data.bool

edit

type: keyword

name of SELinux boolean

audit.kernel.data.icmp_type

edit

type: keyword

type of icmp message

audit.kernel.data.new_lock

edit

type: keyword

new value of feature lock

audit.kernel.data.old_prom

edit

type: keyword

network promiscuity flag

audit.kernel.data.acl

edit

type: keyword

access mode of resource assigned to vm

audit.kernel.data.ip

edit

type: keyword

network address of a printer

audit.kernel.data.new_pi

edit

type: keyword

new process inherited capability map

audit.kernel.data.default-context

edit

type: keyword

default MAC context

audit.kernel.data.inode_gid

edit

type: keyword

group ID of the inode’s owner

audit.kernel.data.new-log_passwd

edit

type: keyword

new value for TTY password logging

audit.kernel.data.new_pe

edit

type: keyword

new process effective capability map

audit.kernel.data.selected-context

edit

type: keyword

new MAC context assigned to session

audit.kernel.data.cap_fver

edit

type: keyword

file system capabilities version number

audit.kernel.data.file

edit

type: keyword

file name

audit.kernel.data.net

edit

type: keyword

network MAC address

audit.kernel.data.virt

edit

type: keyword

kind of virtualization being referenced

audit.kernel.data.cap_pp

edit

type: keyword

process permitted capability map

audit.kernel.data.old-range

edit

type: keyword

present SELinux range

audit.kernel.data.resrc

edit

type: keyword

resource being assigned

audit.kernel.data.new-range

edit

type: keyword

new SELinux range

audit.kernel.data.obj_gid

edit

type: keyword

group ID of object

audit.kernel.data.proto

edit

type: keyword

network protocol

audit.kernel.data.old-disk

edit

type: keyword

disk being removed from vm

audit.kernel.data.audit_failure

edit

type: keyword

audit system’s failure mode

audit.kernel.data.inif

edit

type: keyword

in interface number

audit.kernel.data.vm

edit

type: keyword

virtual machine name

audit.kernel.data.flags

edit

type: keyword

mmap syscall flags

audit.kernel.data.nlnk-fam

edit

type: keyword

netlink protocol number

audit.kernel.data.old-fs

edit

type: keyword

file system being removed from vm

audit.kernel.data.old-ses

edit

type: keyword

previous ses value

audit.kernel.data.seqno

edit

type: keyword

sequence number

audit.kernel.data.fver

edit

type: keyword

file system capabilities version number

audit.kernel.data.qbytes

edit

type: keyword

ipc objects quantity of bytes

audit.kernel.data.seuser

edit

type: keyword

user’s SE Linux user acct

audit.kernel.data.cap_fe

edit

type: keyword

file assigned effective capability map

audit.kernel.data.new-vcpu

edit

type: keyword

new number of CPU cores

audit.kernel.data.old-level

edit

type: keyword

old run level

audit.kernel.data.old_pp

edit

type: keyword

old process permitted capability map

audit.kernel.data.daddr

edit

type: keyword

remote IP address

audit.kernel.data.old-role

edit

type: keyword

present SELinux role

audit.kernel.data.ioctlcmd

edit

type: keyword

The request argument to the ioctl syscall

audit.kernel.data.smac

edit

type: keyword

local MAC address

audit.kernel.data.apparmor

edit

type: keyword

apparmor event information

audit.kernel.data.fe

edit

type: keyword

file assigned effective capability map

audit.kernel.data.perm_mask

edit

type: keyword

file permission mask that triggered a watch event

audit.kernel.data.ses

edit

type: keyword

login session ID

audit.kernel.data.cap_fi

edit

type: keyword

file inherited capability map

audit.kernel.data.obj_uid

edit

type: keyword

user ID of object

audit.kernel.data.reason

edit

type: keyword

text string denoting a reason for the action

audit.kernel.data.list

edit

type: keyword

the audit system’s filter list number

audit.kernel.data.old_lock

edit

type: keyword

present value of feature lock

audit.kernel.data.bus

edit

type: keyword

name of subsystem bus a vm resource belongs to

audit.kernel.data.old_pe

edit

type: keyword

old process effective capability map

audit.kernel.data.new-role

edit

type: keyword

new SELinux role

audit.kernel.data.prom

edit

type: keyword

network promiscuity flag

audit.kernel.data.uri

edit

type: keyword

URI pointing to a printer

audit.kernel.data.audit_enabled

edit

type: keyword

audit systems’s enable/disable status

audit.kernel.data.old-log_passwd

edit

type: keyword

present value for TTY password logging

audit.kernel.data.old-seuser

edit

type: keyword

present SELinux user

audit.kernel.data.per

edit

type: keyword

linux personality

audit.kernel.data.scontext

edit

type: keyword

the subject’s context string

audit.kernel.data.tclass

edit

type: keyword

target’s object classification

audit.kernel.data.ver

edit

type: keyword

audit daemon’s version number

audit.kernel.data.new

edit

type: keyword

value being set in feature

audit.kernel.data.val

edit

type: keyword

generic value associated with the operation

audit.kernel.data.img-ctx

edit

type: keyword

the vm’s disk image context string

audit.kernel.data.old-chardev

edit

type: keyword

present character device assigned to vm

audit.kernel.data.old_val

edit

type: keyword

current value of SELinux boolean

audit.kernel.data.success

edit

type: keyword

whether the syscall was successful or not

audit.kernel.data.inode_uid

edit

type: keyword

user ID of the inode’s owner

audit.kernel.data.removed

edit

type: keyword

number of deleted files

audit.kernel.messages

edit

type: text

An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if kernel.include_raw_message is set in the config.

audit.kernel.warnings

edit

type: keyword

The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.

geoip fields

edit

Contains GeoIP information gathered based on the os_events.audit.addr field. Only present if the GeoIP Elasticsearch plugin is available and used.

audit.kernel.geoip.continent_name

edit

type: keyword

The name of the continent.

audit.kernel.geoip.city_name

edit

type: keyword

The name of the city.

audit.kernel.geoip.region_name

edit

type: keyword

The name of the region.

audit.kernel.geoip.country_iso_code

edit

type: keyword

Country ISO code.

audit.kernel.geoip.location

edit

type: geo_point

The longitude and latitude.