WARNING: Version 6.2 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Auditd fields
editAuditd fields
editThese are the fields generated by the auditd module.
event.category
edittype: keyword
example: audit-rule
The event’s category is a value derived from the record_type
.
event.type
edittype: keyword
The audit record’s type.
user.auid
edittype: keyword
login user ID
user.uid
edittype: keyword
user ID
user.euid
edittype: keyword
effective user ID
user.fsuid
edittype: keyword
file system user ID
user.suid
edittype: keyword
sent user ID
user.gid
edittype: keyword
group ID
user.egid
edittype: keyword
effective group ID
user.sgid
edittype: keyword
set group ID
user.fsgid
edittype: keyword
file system group ID
name_map fields
editIf resolve_ids
is set to true in the configuration then name_map
will contain a mapping of uid field names to the resolved name (e.g. auid → root).
user.name_map.auid
edittype: keyword
login user name
user.name_map.uid
edittype: keyword
user name
user.name_map.euid
edittype: keyword
effective user name
user.name_map.fsuid
edittype: keyword
file system user name
user.name_map.suid
edittype: keyword
sent user name
user.name_map.gid
edittype: keyword
group name
user.name_map.egid
edittype: keyword
effective group name
user.name_map.sgid
edittype: keyword
set group name
user.name_map.fsgid
edittype: keyword
file system group name
selinux fields
editThe SELinux identity of the actor.
user.selinux.user
edittype: keyword
account submitted for authentication
user.selinux.role
edittype: keyword
user’s SELinux role
user.selinux.domain
edittype: keyword
The actor’s SELinux domain or type.
user.selinux.level
edittype: keyword
example: s0
The actor’s SELinux level.
user.selinux.category
edittype: keyword
The actor’s SELinux category or compartments.
process fields
editProcess attributes.
process.pid
edittype: keyword
Process ID.
process.ppid
edittype: keyword
Parent process ID.
process.name
edittype: keyword
Process name (comm).
process.title
edittype: keyword
Process title or command line parameters (proctitle).
process.exe
edittype: keyword
Absolute path of the executable.
process.cwd
edittype: keyword
The current working directory.
process.args
edittype: keyword
The process arguments as a list.
source fields
editSource that triggered the event.
source.ip
edittype: ip
The remote address.
source.port
edittype: keyword
The port number.
source.hostname
edittype: keyword
Hostname of the source.
source.path
edittype: keyword
This is the path associated with a unix socket.
destination fields
editDestination address that triggered the event.
destination.ip
edittype: ip
The remote address.
destination.port
edittype: keyword
The port number.
destination.hostname
edittype: keyword
Hostname of the source.
destination.path
edittype: keyword
This is the path associated with a unix socket.
network.direction
edittype: keyword
Direction of the network traffic (incoming
or outgoing
).
auditd.sequence
edittype: long
The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
auditd.session
edittype: keyword
The session ID assigned to a login. All events related to a login session will have the same value.
auditd.result
edittype: keyword
example: success or fail
The result of the audited operation (success/fail).
actor fields
editThe actor is the user that triggered the audit event.
auditd.summary.actor.primary
edittype: keyword
The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.
auditd.summary.actor.secondary
edittype: keyword
The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su
.
object fields
editThis is the thing or object being acted upon in the event.
auditd.summary.object.type
edittype: keyword
A description of the what the "thing" is (e.g. file, socket, user-session).
auditd.summary.object.primary
edittype: keyword
auditd.summary.object.secondary
edittype: keyword
auditd.summary.how
edittype: keyword
This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
paths fields
editList of paths associated with the event.
auditd.paths.inode
edittype: keyword
inode number
auditd.paths.dev
edittype: keyword
device name as found in /dev
auditd.paths.obj_user
edittype: keyword
auditd.paths.obj_role
edittype: keyword
auditd.paths.obj_domain
edittype: keyword
auditd.paths.obj_level
edittype: keyword
auditd.paths.objtype
edittype: keyword
auditd.paths.ouid
edittype: keyword
file owner user ID
auditd.paths.rdev
edittype: keyword
the device identifier (special files only)
auditd.paths.nametype
edittype: keyword
kind of file operation being referenced
auditd.paths.ogid
edittype: keyword
file owner group ID
auditd.paths.item
edittype: keyword
which item is being recorded
auditd.paths.mode
edittype: keyword
mode flags on a file
auditd.paths.name
edittype: keyword
file name in avcs
data fields
editThe data from the audit messages.
auditd.data.action
edittype: keyword
netfilter packet disposition
auditd.data.minor
edittype: keyword
device minor number
auditd.data.acct
edittype: keyword
a user’s account name
auditd.data.addr
edittype: keyword
the remote address that the user is connecting from
auditd.data.cipher
edittype: keyword
name of crypto cipher selected
auditd.data.id
edittype: keyword
during account changes
auditd.data.entries
edittype: keyword
number of entries in the netfilter table
auditd.data.kind
edittype: keyword
server or client in crypto operation
auditd.data.ksize
edittype: keyword
key size for crypto operation
auditd.data.spid
edittype: keyword
sent process ID
auditd.data.arch
edittype: keyword
the elf architecture flags
auditd.data.argc
edittype: keyword
the number of arguments to an execve syscall
auditd.data.major
edittype: keyword
device major number
auditd.data.unit
edittype: keyword
systemd unit
auditd.data.table
edittype: keyword
netfilter table name
auditd.data.terminal
edittype: keyword
terminal name the user is running programs on
auditd.data.grantors
edittype: keyword
pam modules approving the action
auditd.data.direction
edittype: keyword
direction of crypto operation
auditd.data.op
edittype: keyword
the operation being performed that is audited
auditd.data.tty
edittype: keyword
tty udevice the user is running programs on
auditd.data.syscall
edittype: keyword
syscall number in effect when the event occurred
auditd.data.data
edittype: keyword
TTY text
auditd.data.family
edittype: keyword
netfilter protocol
auditd.data.mac
edittype: keyword
crypto MAC algorithm selected
auditd.data.pfs
edittype: keyword
perfect forward secrecy method
auditd.data.items
edittype: keyword
the number of path records in the event
auditd.data.a0
edittype: keyword
auditd.data.a1
edittype: keyword
auditd.data.a2
edittype: keyword
auditd.data.a3
edittype: keyword
auditd.data.hostname
edittype: keyword
the hostname that the user is connecting from
auditd.data.lport
edittype: keyword
local network port
auditd.data.rport
edittype: keyword
remote port number
auditd.data.exit
edittype: keyword
syscall exit code
auditd.data.fp
edittype: keyword
crypto key finger print
auditd.data.laddr
edittype: keyword
local network address
auditd.data.sport
edittype: keyword
local port number
auditd.data.capability
edittype: keyword
posix capabilities
auditd.data.nargs
edittype: keyword
the number of arguments to a socket call
auditd.data.new-enabled
edittype: keyword
new TTY audit enabled setting
auditd.data.audit_backlog_limit
edittype: keyword
audit system’s backlog queue size
auditd.data.dir
edittype: keyword
directory name
auditd.data.cap_pe
edittype: keyword
process effective capability map
auditd.data.model
edittype: keyword
security model being used for virt
auditd.data.new_pp
edittype: keyword
new process permitted capability map
auditd.data.old-enabled
edittype: keyword
present TTY audit enabled setting
auditd.data.oauid
edittype: keyword
object’s login user ID
auditd.data.old
edittype: keyword
old value
auditd.data.banners
edittype: keyword
banners used on printed page
auditd.data.feature
edittype: keyword
kernel feature being changed
auditd.data.vm-ctx
edittype: keyword
the vm’s context string
auditd.data.opid
edittype: keyword
object’s process ID
auditd.data.seperms
edittype: keyword
SELinux permissions being used
auditd.data.seresult
edittype: keyword
SELinux AVC decision granted/denied
auditd.data.new-rng
edittype: keyword
device name of rng being added from a vm
auditd.data.old-net
edittype: keyword
present MAC address assigned to vm
auditd.data.sigev_signo
edittype: keyword
signal number
auditd.data.ino
edittype: keyword
inode number
auditd.data.old_enforcing
edittype: keyword
old MAC enforcement status
auditd.data.old-vcpu
edittype: keyword
present number of CPU cores
auditd.data.range
edittype: keyword
user’s SE Linux range
auditd.data.res
edittype: keyword
result of the audited operation(success/fail)
auditd.data.added
edittype: keyword
number of new files detected
auditd.data.fam
edittype: keyword
socket address family
auditd.data.nlnk-pid
edittype: keyword
pid of netlink packet sender
auditd.data.subj
edittype: keyword
lspp subject’s context string
auditd.data.a[0-3]
edittype: keyword
the arguments to a syscall
auditd.data.cgroup
edittype: keyword
path to cgroup in sysfs
auditd.data.kernel
edittype: keyword
kernel’s version number
auditd.data.ocomm
edittype: keyword
object’s command line name
auditd.data.new-net
edittype: keyword
MAC address being assigned to vm
auditd.data.permissive
edittype: keyword
SELinux is in permissive mode
auditd.data.class
edittype: keyword
resource class assigned to vm
auditd.data.compat
edittype: keyword
is_compat_task result
auditd.data.fi
edittype: keyword
file assigned inherited capability map
auditd.data.changed
edittype: keyword
number of changed files
auditd.data.msg
edittype: keyword
the payload of the audit record
auditd.data.dport
edittype: keyword
remote port number
auditd.data.new-seuser
edittype: keyword
new SELinux user
auditd.data.invalid_context
edittype: keyword
SELinux context
auditd.data.dmac
edittype: keyword
remote MAC address
auditd.data.ipx-net
edittype: keyword
IPX network number
auditd.data.iuid
edittype: keyword
ipc object’s user ID
auditd.data.macproto
edittype: keyword
ethernet packet type ID field
auditd.data.obj
edittype: keyword
lspp object context string
auditd.data.ipid
edittype: keyword
IP datagram fragment identifier
auditd.data.new-fs
edittype: keyword
file system being added to vm
auditd.data.vm-pid
edittype: keyword
vm’s process ID
auditd.data.cap_pi
edittype: keyword
process inherited capability map
auditd.data.old-auid
edittype: keyword
previous auid value
auditd.data.oses
edittype: keyword
object’s session ID
auditd.data.fd
edittype: keyword
file descriptor number
auditd.data.igid
edittype: keyword
ipc object’s group ID
auditd.data.new-disk
edittype: keyword
disk being added to vm
auditd.data.parent
edittype: keyword
the inode number of the parent file
auditd.data.len
edittype: keyword
length
auditd.data.oflag
edittype: keyword
open syscall flags
auditd.data.uuid
edittype: keyword
a UUID
auditd.data.code
edittype: keyword
seccomp action code
auditd.data.nlnk-grp
edittype: keyword
netlink group number
auditd.data.cap_fp
edittype: keyword
file permitted capability map
auditd.data.new-mem
edittype: keyword
new amount of memory in KB
auditd.data.seperm
edittype: keyword
SELinux permission being decided on
auditd.data.enforcing
edittype: keyword
new MAC enforcement status
auditd.data.new-chardev
edittype: keyword
new character device being assigned to vm
auditd.data.old-rng
edittype: keyword
device name of rng being removed from a vm
auditd.data.outif
edittype: keyword
out interface number
auditd.data.cmd
edittype: keyword
command being executed
auditd.data.hook
edittype: keyword
netfilter hook that packet came from
auditd.data.new-level
edittype: keyword
new run level
auditd.data.sauid
edittype: keyword
sent login user ID
auditd.data.sig
edittype: keyword
signal number
auditd.data.audit_backlog_wait_time
edittype: keyword
audit system’s backlog wait time
auditd.data.printer
edittype: keyword
printer name
auditd.data.old-mem
edittype: keyword
present amount of memory in KB
auditd.data.perm
edittype: keyword
the file permission being used
auditd.data.old_pi
edittype: keyword
old process inherited capability map
auditd.data.state
edittype: keyword
audit daemon configuration resulting state
auditd.data.format
edittype: keyword
audit log’s format
auditd.data.new_gid
edittype: keyword
new group ID being assigned
auditd.data.tcontext
edittype: keyword
the target’s or object’s context string
auditd.data.maj
edittype: keyword
device major number
auditd.data.watch
edittype: keyword
file name in a watch record
auditd.data.device
edittype: keyword
device name
auditd.data.grp
edittype: keyword
group name
auditd.data.bool
edittype: keyword
name of SELinux boolean
auditd.data.icmp_type
edittype: keyword
type of icmp message
auditd.data.new_lock
edittype: keyword
new value of feature lock
auditd.data.old_prom
edittype: keyword
network promiscuity flag
auditd.data.acl
edittype: keyword
access mode of resource assigned to vm
auditd.data.ip
edittype: keyword
network address of a printer
auditd.data.new_pi
edittype: keyword
new process inherited capability map
auditd.data.default-context
edittype: keyword
default MAC context
auditd.data.inode_gid
edittype: keyword
group ID of the inode’s owner
auditd.data.new-log_passwd
edittype: keyword
new value for TTY password logging
auditd.data.new_pe
edittype: keyword
new process effective capability map
auditd.data.selected-context
edittype: keyword
new MAC context assigned to session
auditd.data.cap_fver
edittype: keyword
file system capabilities version number
auditd.data.file
edittype: keyword
file name
auditd.data.net
edittype: keyword
network MAC address
auditd.data.virt
edittype: keyword
kind of virtualization being referenced
auditd.data.cap_pp
edittype: keyword
process permitted capability map
auditd.data.old-range
edittype: keyword
present SELinux range
auditd.data.resrc
edittype: keyword
resource being assigned
auditd.data.new-range
edittype: keyword
new SELinux range
auditd.data.obj_gid
edittype: keyword
group ID of object
auditd.data.proto
edittype: keyword
network protocol
auditd.data.old-disk
edittype: keyword
disk being removed from vm
auditd.data.audit_failure
edittype: keyword
audit system’s failure mode
auditd.data.inif
edittype: keyword
in interface number
auditd.data.vm
edittype: keyword
virtual machine name
auditd.data.flags
edittype: keyword
mmap syscall flags
auditd.data.nlnk-fam
edittype: keyword
netlink protocol number
auditd.data.old-fs
edittype: keyword
file system being removed from vm
auditd.data.old-ses
edittype: keyword
previous ses value
auditd.data.seqno
edittype: keyword
sequence number
auditd.data.fver
edittype: keyword
file system capabilities version number
auditd.data.qbytes
edittype: keyword
ipc objects quantity of bytes
auditd.data.seuser
edittype: keyword
user’s SE Linux user acct
auditd.data.cap_fe
edittype: keyword
file assigned effective capability map
auditd.data.new-vcpu
edittype: keyword
new number of CPU cores
auditd.data.old-level
edittype: keyword
old run level
auditd.data.old_pp
edittype: keyword
old process permitted capability map
auditd.data.daddr
edittype: keyword
remote IP address
auditd.data.old-role
edittype: keyword
present SELinux role
auditd.data.ioctlcmd
edittype: keyword
The request argument to the ioctl syscall
auditd.data.smac
edittype: keyword
local MAC address
auditd.data.apparmor
edittype: keyword
apparmor event information
auditd.data.fe
edittype: keyword
file assigned effective capability map
auditd.data.perm_mask
edittype: keyword
file permission mask that triggered a watch event
auditd.data.ses
edittype: keyword
login session ID
auditd.data.cap_fi
edittype: keyword
file inherited capability map
auditd.data.obj_uid
edittype: keyword
user ID of object
auditd.data.reason
edittype: keyword
text string denoting a reason for the action
auditd.data.list
edittype: keyword
the audit system’s filter list number
auditd.data.old_lock
edittype: keyword
present value of feature lock
auditd.data.bus
edittype: keyword
name of subsystem bus a vm resource belongs to
auditd.data.old_pe
edittype: keyword
old process effective capability map
auditd.data.new-role
edittype: keyword
new SELinux role
auditd.data.prom
edittype: keyword
network promiscuity flag
auditd.data.uri
edittype: keyword
URI pointing to a printer
auditd.data.audit_enabled
edittype: keyword
audit systems’s enable/disable status
auditd.data.old-log_passwd
edittype: keyword
present value for TTY password logging
auditd.data.old-seuser
edittype: keyword
present SELinux user
auditd.data.per
edittype: keyword
linux personality
auditd.data.scontext
edittype: keyword
the subject’s context string
auditd.data.tclass
edittype: keyword
target’s object classification
auditd.data.ver
edittype: keyword
audit daemon’s version number
auditd.data.new
edittype: keyword
value being set in feature
auditd.data.val
edittype: keyword
generic value associated with the operation
auditd.data.img-ctx
edittype: keyword
the vm’s disk image context string
auditd.data.old-chardev
edittype: keyword
present character device assigned to vm
auditd.data.old_val
edittype: keyword
current value of SELinux boolean
auditd.data.success
edittype: keyword
whether the syscall was successful or not
auditd.data.inode_uid
edittype: keyword
user ID of the inode’s owner
auditd.data.removed
edittype: keyword
number of deleted files
auditd.data.socket.port
edittype: keyword
The port number.
auditd.data.socket.saddr
edittype: keyword
The raw socket address structure.
auditd.data.socket.addr
edittype: keyword
The remote address.
auditd.data.socket.family
edittype: keyword
example: unix
The socket family (unix, ipv4, ipv6, netlink).
auditd.data.socket.path
edittype: keyword
This is the path associated with a unix socket.
auditd.messages
edittype: text
An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if include_raw_message
is set in the config.
auditd.warnings
edittype: keyword
The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
geoip fields
editThe geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.
geoip.continent_name
edittype: keyword
The name of the continent.
geoip.city_name
edittype: keyword
The name of the city.
geoip.region_name
edittype: keyword
The name of the region.
geoip.country_iso_code
edittype: keyword
Country ISO code.
geoip.location
edittype: geo_point
The longitude and latitude.