WARNING: Version 6.1 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Audit fields
editAudit fields
editThe audit
module reports security-relevant information based on data captured from the operating system (OS) or services running on the OS.
audit fields
editfile fields
editThe file metricset generates events when a file changes on disk.
audit.file.path
edittype: text
The path to the file.
audit.file.path.raw
edittype: keyword
The path to the file. This is an non-analyzed field that is useful for aggregations.
audit.file.target_path
edittype: keyword
The target path for symlinks.
audit.file.action
edittype: keyword
example: attributes_modified
Action describes the change that triggered the event. The possible values are: attributes_modified, created, deleted, updated, moved, and config_change.
audit.file.type
edittype: keyword
The file type (file, dir, or symlink).
audit.file.inode
edittype: keyword
The inode representing the file in the filesystem.
audit.file.uid
edittype: keyword
The user ID (UID) of the file owner.
audit.file.owner
edittype: keyword
The file owner’s username.
audit.file.gid
edittype: keyword
The primary group ID (GID) of the file.
audit.file.group
edittype: keyword
The primary group name of the file.
audit.file.sid
edittype: keyword
The security identifier (SID) of the file owner (Windows only).
audit.file.mode
edittype: keyword
example: 416
The mode of the file in octal representation.
audit.file.size
edittype: long
The file size in bytes (field is only added when type
is file
).
audit.file.mtime
edittype: date
The last modified time of the file (time when content was modified).
audit.file.ctime
edittype: date
The last change time of the file (time when metadata was changed).
audit.file.hashed
edittype: boolean
Boolean indicating if the event includes any file hashes.
audit.file.md5
edittype: keyword
MD5 hash of the file.
audit.file.sha1
edittype: keyword
SHA1 hash of the file.
audit.file.sha224
edittype: keyword
SHA224 hash of the file.
audit.file.sha256
edittype: keyword
SHA256 hash of the file.
audit.file.sha384
edittype: keyword
SHA384 hash of the file.
audit.file.sha3_224
edittype: keyword
SHA3_224 hash of the file.
audit.file.sha3_256
edittype: keyword
SHA3_256 hash of the file.
audit.file.sha3_384
edittype: keyword
SHA3_384 hash of the file.
audit.file.sha3_512
edittype: keyword
SHA3_512 hash of the file.
audit.file.sha512
edittype: keyword
SHA512 hash of the file.
audit.file.sha512_224
edittype: keyword
SHA512/224 hash of the file.
audit.file.sha512_256
edittype: keyword
SHA512/256 hash of the file.
kernel fields
editThe kernel metricset distributes audit events received from the Linux Audit Framework that is a part of the Linux kernel.
audit.kernel.action
edittype: keyword
example: logged-in
A description of the action taken by the user.
actor fields
editThe actor is the user that triggered the audit event.
attrs fields
editAttributes of the actor.
audit.kernel.actor.attrs.auid
edittype: keyword
login user ID
audit.kernel.actor.attrs.uid
edittype: keyword
user ID
audit.kernel.actor.attrs.euid
edittype: keyword
effective user ID
audit.kernel.actor.attrs.fsuid
edittype: keyword
file system user ID
audit.kernel.actor.attrs.suid
edittype: keyword
sent user ID
audit.kernel.actor.attrs.gid
edittype: keyword
group ID
audit.kernel.actor.attrs.egid
edittype: keyword
effective group ID
audit.kernel.actor.attrs.sgid
edittype: keyword
set group ID
audit.kernel.actor.attrs.fsgid
edittype: keyword
file system group ID
audit.kernel.actor.primary
edittype: keyword
The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.
audit.kernel.actor.secondary
edittype: keyword
The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su
.
selinux fields
editThe SELinux identity of the actor.
audit.kernel.actor.selinux.user
edittype: keyword
account submitted for authentication
audit.kernel.actor.selinux.role
edittype: keyword
user’s SELinux role
audit.kernel.actor.selinux.domain
edittype: keyword
The actor’s SELinux domain or type.
audit.kernel.actor.selinux.level
edittype: keyword
example: s0
The actor’s SELinux level.
audit.kernel.actor.selinux.category
edittype: keyword
The actor’s SELinux category or compartments.
audit.kernel.category
edittype: keyword
example: audit-rule
The event’s category is a value derived from the record_type
.
audit.kernel.sequence
edittype: long
The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
audit.kernel.session
edittype: keyword
The session ID assigned to a login. All events related to a login session will have the same value.
paths fields
editList of paths associated with the event.
audit.kernel.paths.inode
edittype: keyword
inode number
audit.kernel.paths.dev
edittype: keyword
device name as found in /dev
audit.kernel.paths.obj_user
edittype: keyword
audit.kernel.paths.obj_role
edittype: keyword
audit.kernel.paths.obj_domain
edittype: keyword
audit.kernel.paths.obj_level
edittype: keyword
audit.kernel.paths.objtype
edittype: keyword
audit.kernel.paths.ouid
edittype: keyword
file owner user ID
audit.kernel.paths.rdev
edittype: keyword
the device identifier (special files only)
audit.kernel.paths.nametype
edittype: keyword
kind of file operation being referenced
audit.kernel.paths.ogid
edittype: keyword
file owner group ID
audit.kernel.paths.item
edittype: keyword
which item is being recorded
audit.kernel.paths.mode
edittype: keyword
mode flags on a file
audit.kernel.paths.name
edittype: keyword
file name in avcs
audit.kernel.record_type
edittype: keyword
The audit record’s type.
socket fields
editSocket data from sockaddr messages.
audit.kernel.socket.port
edittype: keyword
The port number.
audit.kernel.socket.saddr
edittype: keyword
The raw socket address structure.
audit.kernel.socket.addr
edittype: keyword
The remote address.
audit.kernel.socket.family
edittype: keyword
example: unix
The socket family (unix, ipv4, ipv6, netlink).
audit.kernel.socket.path
edittype: keyword
This is the path associated with a unix socket.
thing fields
editThis is the thing or object being acted upon in the event.
audit.kernel.thing.what
edittype: keyword
A description of the what the "thing" is (e.g. file, socket, user-session).
audit.kernel.thing.primary
edittype: keyword
audit.kernel.thing.secondary
edittype: keyword
selinux fields
editThe SELinux identity of the object.
audit.kernel.thing.selinux.user
edittype: keyword
The owner of the object.
audit.kernel.thing.selinux.role
edittype: keyword
The object’s SELinux role.
audit.kernel.thing.selinux.domain
edittype: keyword
The object’s SELinux domain or type.
audit.kernel.thing.selinux.level
edittype: keyword
example: s0
The object’s SELinux level.
audit.kernel.how
edittype: keyword
This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
audit.kernel.key
edittype: keyword
The key assigned to the audit rule that triggered the event.
audit.kernel.result
edittype: keyword
example: success or fail
The result of the audited operation (success/fail).
data fields
editThe data from the audit messages.
audit.kernel.data.action
edittype: keyword
netfilter packet disposition
audit.kernel.data.minor
edittype: keyword
device minor number
audit.kernel.data.acct
edittype: keyword
a user’s account name
audit.kernel.data.addr
edittype: keyword
the remote address that the user is connecting from
audit.kernel.data.cipher
edittype: keyword
name of crypto cipher selected
audit.kernel.data.id
edittype: keyword
during account changes
audit.kernel.data.entries
edittype: keyword
number of entries in the netfilter table
audit.kernel.data.kind
edittype: keyword
server or client in crypto operation
audit.kernel.data.ksize
edittype: keyword
key size for crypto operation
audit.kernel.data.spid
edittype: keyword
sent process ID
audit.kernel.data.arch
edittype: keyword
the elf architecture flags
audit.kernel.data.argc
edittype: keyword
the number of arguments to an execve syscall
audit.kernel.data.major
edittype: keyword
device major number
audit.kernel.data.unit
edittype: keyword
systemd unit
audit.kernel.data.table
edittype: keyword
netfilter table name
audit.kernel.data.terminal
edittype: keyword
terminal name the user is running programs on
audit.kernel.data.comm
edittype: keyword
command line program name
audit.kernel.data.exe
edittype: keyword
executable name
audit.kernel.data.grantors
edittype: keyword
pam modules approving the action
audit.kernel.data.pid
edittype: keyword
process ID
audit.kernel.data.direction
edittype: keyword
direction of crypto operation
audit.kernel.data.op
edittype: keyword
the operation being performed that is audited
audit.kernel.data.tty
edittype: keyword
tty udevice the user is running programs on
audit.kernel.data.proctitle
edittype: keyword
process title and command line parameters
audit.kernel.data.syscall
edittype: keyword
syscall number in effect when the event occurred
audit.kernel.data.data
edittype: keyword
TTY text
audit.kernel.data.family
edittype: keyword
netfilter protocol
audit.kernel.data.mac
edittype: keyword
crypto MAC algorithm selected
audit.kernel.data.pfs
edittype: keyword
perfect forward secrecy method
audit.kernel.data.items
edittype: keyword
the number of path records in the event
audit.kernel.data.a0
edittype: keyword
audit.kernel.data.a1
edittype: keyword
audit.kernel.data.a2
edittype: keyword
audit.kernel.data.a3
edittype: keyword
audit.kernel.data.cwd
edittype: keyword
the current working directory
audit.kernel.data.hostname
edittype: keyword
the hostname that the user is connecting from
audit.kernel.data.lport
edittype: keyword
local network port
audit.kernel.data.ppid
edittype: keyword
parent process ID
audit.kernel.data.rport
edittype: keyword
remote port number
audit.kernel.data.cmdline
edittype: keyword
The full command line from the execve message.
audit.kernel.data.exit
edittype: keyword
syscall exit code
audit.kernel.data.fp
edittype: keyword
crypto key finger print
audit.kernel.data.laddr
edittype: keyword
local network address
audit.kernel.data.sport
edittype: keyword
local port number
audit.kernel.data.capability
edittype: keyword
posix capabilities
audit.kernel.data.nargs
edittype: keyword
the number of arguments to a socket call
audit.kernel.data.new-enabled
edittype: keyword
new TTY audit enabled setting
audit.kernel.data.audit_backlog_limit
edittype: keyword
audit system’s backlog queue size
audit.kernel.data.dir
edittype: keyword
directory name
audit.kernel.data.cap_pe
edittype: keyword
process effective capability map
audit.kernel.data.model
edittype: keyword
security model being used for virt
audit.kernel.data.new_pp
edittype: keyword
new process permitted capability map
audit.kernel.data.old-enabled
edittype: keyword
present TTY audit enabled setting
audit.kernel.data.oauid
edittype: keyword
object’s login user ID
audit.kernel.data.old
edittype: keyword
old value
audit.kernel.data.banners
edittype: keyword
banners used on printed page
audit.kernel.data.feature
edittype: keyword
kernel feature being changed
audit.kernel.data.vm-ctx
edittype: keyword
the vm’s context string
audit.kernel.data.opid
edittype: keyword
object’s process ID
audit.kernel.data.seperms
edittype: keyword
SELinux permissions being used
audit.kernel.data.seresult
edittype: keyword
SELinux AVC decision granted/denied
audit.kernel.data.new-rng
edittype: keyword
device name of rng being added from a vm
audit.kernel.data.old-net
edittype: keyword
present MAC address assigned to vm
audit.kernel.data.sigev_signo
edittype: keyword
signal number
audit.kernel.data.ino
edittype: keyword
inode number
audit.kernel.data.old_enforcing
edittype: keyword
old MAC enforcement status
audit.kernel.data.old-vcpu
edittype: keyword
present number of CPU cores
audit.kernel.data.range
edittype: keyword
user’s SE Linux range
audit.kernel.data.res
edittype: keyword
result of the audited operation(success/fail)
audit.kernel.data.added
edittype: keyword
number of new files detected
audit.kernel.data.fam
edittype: keyword
socket address family
audit.kernel.data.nlnk-pid
edittype: keyword
pid of netlink packet sender
audit.kernel.data.subj
edittype: keyword
lspp subject’s context string
audit.kernel.data.a[0-3]
edittype: keyword
the arguments to a syscall
audit.kernel.data.cgroup
edittype: keyword
path to cgroup in sysfs
audit.kernel.data.kernel
edittype: keyword
kernel’s version number
audit.kernel.data.ocomm
edittype: keyword
object’s command line name
audit.kernel.data.new-net
edittype: keyword
MAC address being assigned to vm
audit.kernel.data.permissive
edittype: keyword
SELinux is in permissive mode
audit.kernel.data.class
edittype: keyword
resource class assigned to vm
audit.kernel.data.compat
edittype: keyword
is_compat_task result
audit.kernel.data.fi
edittype: keyword
file assigned inherited capability map
audit.kernel.data.changed
edittype: keyword
number of changed files
audit.kernel.data.msg
edittype: keyword
the payload of the audit record
audit.kernel.data.dport
edittype: keyword
remote port number
audit.kernel.data.new-seuser
edittype: keyword
new SELinux user
audit.kernel.data.invalid_context
edittype: keyword
SELinux context
audit.kernel.data.dmac
edittype: keyword
remote MAC address
audit.kernel.data.ipx-net
edittype: keyword
IPX network number
audit.kernel.data.iuid
edittype: keyword
ipc object’s user ID
audit.kernel.data.macproto
edittype: keyword
ethernet packet type ID field
audit.kernel.data.obj
edittype: keyword
lspp object context string
audit.kernel.data.a[[:digit:]+]\[.*\]
edittype: keyword
the arguments to the execve syscall
audit.kernel.data.ipid
edittype: keyword
IP datagram fragment identifier
audit.kernel.data.new-fs
edittype: keyword
file system being added to vm
audit.kernel.data.vm-pid
edittype: keyword
vm’s process ID
audit.kernel.data.cap_pi
edittype: keyword
process inherited capability map
audit.kernel.data.old-auid
edittype: keyword
previous auid value
audit.kernel.data.oses
edittype: keyword
object’s session ID
audit.kernel.data.fd
edittype: keyword
file descriptor number
audit.kernel.data.igid
edittype: keyword
ipc object’s group ID
audit.kernel.data.new-disk
edittype: keyword
disk being added to vm
audit.kernel.data.parent
edittype: keyword
the inode number of the parent file
audit.kernel.data.len
edittype: keyword
length
audit.kernel.data.oflag
edittype: keyword
open syscall flags
audit.kernel.data.uuid
edittype: keyword
a UUID
audit.kernel.data.code
edittype: keyword
seccomp action code
audit.kernel.data.nlnk-grp
edittype: keyword
netlink group number
audit.kernel.data.cap_fp
edittype: keyword
file permitted capability map
audit.kernel.data.new-mem
edittype: keyword
new amount of memory in KB
audit.kernel.data.seperm
edittype: keyword
SELinux permission being decided on
audit.kernel.data.enforcing
edittype: keyword
new MAC enforcement status
audit.kernel.data.new-chardev
edittype: keyword
new character device being assigned to vm
audit.kernel.data.old-rng
edittype: keyword
device name of rng being removed from a vm
audit.kernel.data.outif
edittype: keyword
out interface number
audit.kernel.data.cmd
edittype: keyword
command being executed
audit.kernel.data.hook
edittype: keyword
netfilter hook that packet came from
audit.kernel.data.new-level
edittype: keyword
new run level
audit.kernel.data.sauid
edittype: keyword
sent login user ID
audit.kernel.data.sig
edittype: keyword
signal number
audit.kernel.data.audit_backlog_wait_time
edittype: keyword
audit system’s backlog wait time
audit.kernel.data.printer
edittype: keyword
printer name
audit.kernel.data.old-mem
edittype: keyword
present amount of memory in KB
audit.kernel.data.perm
edittype: keyword
the file permission being used
audit.kernel.data.old_pi
edittype: keyword
old process inherited capability map
audit.kernel.data.state
edittype: keyword
audit daemon configuration resulting state
audit.kernel.data.format
edittype: keyword
audit log’s format
audit.kernel.data.new_gid
edittype: keyword
new group ID being assigned
audit.kernel.data.tcontext
edittype: keyword
the target’s or object’s context string
audit.kernel.data.maj
edittype: keyword
device major number
audit.kernel.data.watch
edittype: keyword
file name in a watch record
audit.kernel.data.device
edittype: keyword
device name
audit.kernel.data.grp
edittype: keyword
group name
audit.kernel.data.bool
edittype: keyword
name of SELinux boolean
audit.kernel.data.icmp_type
edittype: keyword
type of icmp message
audit.kernel.data.new_lock
edittype: keyword
new value of feature lock
audit.kernel.data.old_prom
edittype: keyword
network promiscuity flag
audit.kernel.data.acl
edittype: keyword
access mode of resource assigned to vm
audit.kernel.data.ip
edittype: keyword
network address of a printer
audit.kernel.data.new_pi
edittype: keyword
new process inherited capability map
audit.kernel.data.default-context
edittype: keyword
default MAC context
audit.kernel.data.inode_gid
edittype: keyword
group ID of the inode’s owner
audit.kernel.data.new-log_passwd
edittype: keyword
new value for TTY password logging
audit.kernel.data.new_pe
edittype: keyword
new process effective capability map
audit.kernel.data.selected-context
edittype: keyword
new MAC context assigned to session
audit.kernel.data.cap_fver
edittype: keyword
file system capabilities version number
audit.kernel.data.file
edittype: keyword
file name
audit.kernel.data.net
edittype: keyword
network MAC address
audit.kernel.data.virt
edittype: keyword
kind of virtualization being referenced
audit.kernel.data.cap_pp
edittype: keyword
process permitted capability map
audit.kernel.data.old-range
edittype: keyword
present SELinux range
audit.kernel.data.resrc
edittype: keyword
resource being assigned
audit.kernel.data.new-range
edittype: keyword
new SELinux range
audit.kernel.data.obj_gid
edittype: keyword
group ID of object
audit.kernel.data.proto
edittype: keyword
network protocol
audit.kernel.data.old-disk
edittype: keyword
disk being removed from vm
audit.kernel.data.audit_failure
edittype: keyword
audit system’s failure mode
audit.kernel.data.inif
edittype: keyword
in interface number
audit.kernel.data.vm
edittype: keyword
virtual machine name
audit.kernel.data.flags
edittype: keyword
mmap syscall flags
audit.kernel.data.nlnk-fam
edittype: keyword
netlink protocol number
audit.kernel.data.old-fs
edittype: keyword
file system being removed from vm
audit.kernel.data.old-ses
edittype: keyword
previous ses value
audit.kernel.data.seqno
edittype: keyword
sequence number
audit.kernel.data.fver
edittype: keyword
file system capabilities version number
audit.kernel.data.qbytes
edittype: keyword
ipc objects quantity of bytes
audit.kernel.data.seuser
edittype: keyword
user’s SE Linux user acct
audit.kernel.data.cap_fe
edittype: keyword
file assigned effective capability map
audit.kernel.data.new-vcpu
edittype: keyword
new number of CPU cores
audit.kernel.data.old-level
edittype: keyword
old run level
audit.kernel.data.old_pp
edittype: keyword
old process permitted capability map
audit.kernel.data.daddr
edittype: keyword
remote IP address
audit.kernel.data.old-role
edittype: keyword
present SELinux role
audit.kernel.data.ioctlcmd
edittype: keyword
The request argument to the ioctl syscall
audit.kernel.data.smac
edittype: keyword
local MAC address
audit.kernel.data.apparmor
edittype: keyword
apparmor event information
audit.kernel.data.fe
edittype: keyword
file assigned effective capability map
audit.kernel.data.perm_mask
edittype: keyword
file permission mask that triggered a watch event
audit.kernel.data.ses
edittype: keyword
login session ID
audit.kernel.data.cap_fi
edittype: keyword
file inherited capability map
audit.kernel.data.obj_uid
edittype: keyword
user ID of object
audit.kernel.data.reason
edittype: keyword
text string denoting a reason for the action
audit.kernel.data.list
edittype: keyword
the audit system’s filter list number
audit.kernel.data.old_lock
edittype: keyword
present value of feature lock
audit.kernel.data.bus
edittype: keyword
name of subsystem bus a vm resource belongs to
audit.kernel.data.old_pe
edittype: keyword
old process effective capability map
audit.kernel.data.new-role
edittype: keyword
new SELinux role
audit.kernel.data.prom
edittype: keyword
network promiscuity flag
audit.kernel.data.uri
edittype: keyword
URI pointing to a printer
audit.kernel.data.audit_enabled
edittype: keyword
audit systems’s enable/disable status
audit.kernel.data.old-log_passwd
edittype: keyword
present value for TTY password logging
audit.kernel.data.old-seuser
edittype: keyword
present SELinux user
audit.kernel.data.per
edittype: keyword
linux personality
audit.kernel.data.scontext
edittype: keyword
the subject’s context string
audit.kernel.data.tclass
edittype: keyword
target’s object classification
audit.kernel.data.ver
edittype: keyword
audit daemon’s version number
audit.kernel.data.new
edittype: keyword
value being set in feature
audit.kernel.data.val
edittype: keyword
generic value associated with the operation
audit.kernel.data.img-ctx
edittype: keyword
the vm’s disk image context string
audit.kernel.data.old-chardev
edittype: keyword
present character device assigned to vm
audit.kernel.data.old_val
edittype: keyword
current value of SELinux boolean
audit.kernel.data.success
edittype: keyword
whether the syscall was successful or not
audit.kernel.data.inode_uid
edittype: keyword
user ID of the inode’s owner
audit.kernel.data.removed
edittype: keyword
number of deleted files
audit.kernel.messages
edittype: text
An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if kernel.include_raw_message
is set in the config.
audit.kernel.warnings
edittype: keyword
The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
geoip fields
editContains GeoIP information gathered based on the os_events.audit.addr
field. Only present if the GeoIP Elasticsearch plugin is available and used.
audit.kernel.geoip.continent_name
edittype: keyword
The name of the continent.
audit.kernel.geoip.city_name
edittype: keyword
The name of the city.
audit.kernel.geoip.region_name
edittype: keyword
The name of the region.
audit.kernel.geoip.country_iso_code
edittype: keyword
Country ISO code.
audit.kernel.geoip.location
edittype: geo_point
The longitude and latitude.