Auditd fields

edit

These are the fields generated by the auditd module.

event.category

edit

type: keyword

example: audit-rule

The event’s category is a value derived from the record_type.

event.type

edit

type: keyword

The audit record’s type.

user.auid

edit

type: keyword

login user ID

user.uid

edit

type: keyword

user ID

user.euid

edit

type: keyword

effective user ID

user.fsuid

edit

type: keyword

file system user ID

user.suid

edit

type: keyword

sent user ID

user.gid

edit

type: keyword

group ID

user.egid

edit

type: keyword

effective group ID

user.sgid

edit

type: keyword

set group ID

user.fsgid

edit

type: keyword

file system group ID

name_map fields

edit

If resolve_ids is set to true in the configuration then name_map will contain a mapping of uid field names to the resolved name (e.g. auid → root).

user.name_map.auid

edit

type: keyword

login user name

user.name_map.uid

edit

type: keyword

user name

user.name_map.euid

edit

type: keyword

effective user name

user.name_map.fsuid

edit

type: keyword

file system user name

user.name_map.suid

edit

type: keyword

sent user name

user.name_map.gid

edit

type: keyword

group name

user.name_map.egid

edit

type: keyword

effective group name

user.name_map.sgid

edit

type: keyword

set group name

user.name_map.fsgid

edit

type: keyword

file system group name

selinux fields

edit

The SELinux identity of the actor.

user.selinux.user

edit

type: keyword

account submitted for authentication

user.selinux.role

edit

type: keyword

user’s SELinux role

user.selinux.domain

edit

type: keyword

The actor’s SELinux domain or type.

user.selinux.level

edit

type: keyword

example: s0

The actor’s SELinux level.

user.selinux.category

edit

type: keyword

The actor’s SELinux category or compartments.

process fields

edit

Process attributes.

process.pid

edit

type: keyword

Process ID.

process.ppid

edit

type: keyword

Parent process ID.

process.name

edit

type: keyword

Process name (comm).

process.title

edit

type: keyword

Process title or command line parameters (proctitle).

process.exe

edit

type: keyword

Absolute path of the executable.

process.cwd

edit

type: keyword

The current working directory.

process.args

edit

type: keyword

The process arguments as a list.

source fields

edit

Source that triggered the event.

source.ip

edit

type: ip

The remote address.

source.port

edit

type: keyword

The port number.

source.hostname

edit

type: keyword

Hostname of the source.

source.path

edit

type: keyword

This is the path associated with a unix socket.

destination fields

edit

Destination address that triggered the event.

destination.ip

edit

type: ip

The remote address.

destination.port

edit

type: keyword

The port number.

destination.hostname

edit

type: keyword

Hostname of the source.

destination.path

edit

type: keyword

This is the path associated with a unix socket.

network.direction

edit

type: keyword

Direction of the network traffic (incoming or outgoing).

auditd.sequence

edit

type: long

The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.

auditd.session

edit

type: keyword

The session ID assigned to a login. All events related to a login session will have the same value.

auditd.result

edit

type: keyword

example: success or fail

The result of the audited operation (success/fail).

actor fields

edit

The actor is the user that triggered the audit event.

auditd.summary.actor.primary

edit

type: keyword

The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.

auditd.summary.actor.secondary

edit

type: keyword

The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su.

object fields

edit

This is the thing or object being acted upon in the event.

auditd.summary.object.type

edit

type: keyword

A description of the what the "thing" is (e.g. file, socket, user-session).

auditd.summary.object.primary

edit

type: keyword

auditd.summary.object.secondary

edit

type: keyword

auditd.summary.how

edit

type: keyword

This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.

paths fields

edit

List of paths associated with the event.

auditd.paths.inode

edit

type: keyword

inode number

auditd.paths.dev

edit

type: keyword

device name as found in /dev

auditd.paths.obj_user

edit

type: keyword

auditd.paths.obj_role

edit

type: keyword

auditd.paths.obj_domain

edit

type: keyword

auditd.paths.obj_level

edit

type: keyword

auditd.paths.objtype

edit

type: keyword

auditd.paths.ouid

edit

type: keyword

file owner user ID

auditd.paths.rdev

edit

type: keyword

the device identifier (special files only)

auditd.paths.nametype

edit

type: keyword

kind of file operation being referenced

auditd.paths.ogid

edit

type: keyword

file owner group ID

auditd.paths.item

edit

type: keyword

which item is being recorded

auditd.paths.mode

edit

type: keyword

mode flags on a file

auditd.paths.name

edit

type: keyword

file name in avcs

data fields

edit

The data from the audit messages.

auditd.data.action

edit

type: keyword

netfilter packet disposition

auditd.data.minor

edit

type: keyword

device minor number

auditd.data.acct

edit

type: keyword

a user’s account name

auditd.data.addr

edit

type: keyword

the remote address that the user is connecting from

auditd.data.cipher

edit

type: keyword

name of crypto cipher selected

auditd.data.id

edit

type: keyword

during account changes

auditd.data.entries

edit

type: keyword

number of entries in the netfilter table

auditd.data.kind

edit

type: keyword

server or client in crypto operation

auditd.data.ksize

edit

type: keyword

key size for crypto operation

auditd.data.spid

edit

type: keyword

sent process ID

auditd.data.arch

edit

type: keyword

the elf architecture flags

auditd.data.argc

edit

type: keyword

the number of arguments to an execve syscall

auditd.data.major

edit

type: keyword

device major number

auditd.data.unit

edit

type: keyword

systemd unit

auditd.data.table

edit

type: keyword

netfilter table name

auditd.data.terminal

edit

type: keyword

terminal name the user is running programs on

auditd.data.grantors

edit

type: keyword

pam modules approving the action

auditd.data.direction

edit

type: keyword

direction of crypto operation

auditd.data.op

edit

type: keyword

the operation being performed that is audited

auditd.data.tty

edit

type: keyword

tty udevice the user is running programs on

auditd.data.syscall

edit

type: keyword

syscall number in effect when the event occurred

auditd.data.data

edit

type: keyword

TTY text

auditd.data.family

edit

type: keyword

netfilter protocol

auditd.data.mac

edit

type: keyword

crypto MAC algorithm selected

auditd.data.pfs

edit

type: keyword

perfect forward secrecy method

auditd.data.items

edit

type: keyword

the number of path records in the event

auditd.data.a0

edit

type: keyword

auditd.data.a1

edit

type: keyword

auditd.data.a2

edit

type: keyword

auditd.data.a3

edit

type: keyword

auditd.data.hostname

edit

type: keyword

the hostname that the user is connecting from

auditd.data.lport

edit

type: keyword

local network port

auditd.data.rport

edit

type: keyword

remote port number

auditd.data.exit

edit

type: keyword

syscall exit code

auditd.data.fp

edit

type: keyword

crypto key finger print

auditd.data.laddr

edit

type: keyword

local network address

auditd.data.sport

edit

type: keyword

local port number

auditd.data.capability

edit

type: keyword

posix capabilities

auditd.data.nargs

edit

type: keyword

the number of arguments to a socket call

auditd.data.new-enabled

edit

type: keyword

new TTY audit enabled setting

auditd.data.audit_backlog_limit

edit

type: keyword

audit system’s backlog queue size

auditd.data.dir

edit

type: keyword

directory name

auditd.data.cap_pe

edit

type: keyword

process effective capability map

auditd.data.model

edit

type: keyword

security model being used for virt

auditd.data.new_pp

edit

type: keyword

new process permitted capability map

auditd.data.old-enabled

edit

type: keyword

present TTY audit enabled setting

auditd.data.oauid

edit

type: keyword

object’s login user ID

auditd.data.old

edit

type: keyword

old value

auditd.data.banners

edit

type: keyword

banners used on printed page

auditd.data.feature

edit

type: keyword

kernel feature being changed

auditd.data.vm-ctx

edit

type: keyword

the vm’s context string

auditd.data.opid

edit

type: keyword

object’s process ID

auditd.data.seperms

edit

type: keyword

SELinux permissions being used

auditd.data.seresult

edit

type: keyword

SELinux AVC decision granted/denied

auditd.data.new-rng

edit

type: keyword

device name of rng being added from a vm

auditd.data.old-net

edit

type: keyword

present MAC address assigned to vm

auditd.data.sigev_signo

edit

type: keyword

signal number

auditd.data.ino

edit

type: keyword

inode number

auditd.data.old_enforcing

edit

type: keyword

old MAC enforcement status

auditd.data.old-vcpu

edit

type: keyword

present number of CPU cores

auditd.data.range

edit

type: keyword

user’s SE Linux range

auditd.data.res

edit

type: keyword

result of the audited operation(success/fail)

auditd.data.added

edit

type: keyword

number of new files detected

auditd.data.fam

edit

type: keyword

socket address family

auditd.data.nlnk-pid

edit

type: keyword

pid of netlink packet sender

auditd.data.subj

edit

type: keyword

lspp subject’s context string

auditd.data.a[0-3]

edit

type: keyword

the arguments to a syscall

auditd.data.cgroup

edit

type: keyword

path to cgroup in sysfs

auditd.data.kernel

edit

type: keyword

kernel’s version number

auditd.data.ocomm

edit

type: keyword

object’s command line name

auditd.data.new-net

edit

type: keyword

MAC address being assigned to vm

auditd.data.permissive

edit

type: keyword

SELinux is in permissive mode

auditd.data.class

edit

type: keyword

resource class assigned to vm

auditd.data.compat

edit

type: keyword

is_compat_task result

auditd.data.fi

edit

type: keyword

file assigned inherited capability map

auditd.data.changed

edit

type: keyword

number of changed files

auditd.data.msg

edit

type: keyword

the payload of the audit record

auditd.data.dport

edit

type: keyword

remote port number

auditd.data.new-seuser

edit

type: keyword

new SELinux user

auditd.data.invalid_context

edit

type: keyword

SELinux context

auditd.data.dmac

edit

type: keyword

remote MAC address

auditd.data.ipx-net

edit

type: keyword

IPX network number

auditd.data.iuid

edit

type: keyword

ipc object’s user ID

auditd.data.macproto

edit

type: keyword

ethernet packet type ID field

auditd.data.obj

edit

type: keyword

lspp object context string

auditd.data.ipid

edit

type: keyword

IP datagram fragment identifier

auditd.data.new-fs

edit

type: keyword

file system being added to vm

auditd.data.vm-pid

edit

type: keyword

vm’s process ID

auditd.data.cap_pi

edit

type: keyword

process inherited capability map

auditd.data.old-auid

edit

type: keyword

previous auid value

auditd.data.oses

edit

type: keyword

object’s session ID

auditd.data.fd

edit

type: keyword

file descriptor number

auditd.data.igid

edit

type: keyword

ipc object’s group ID

auditd.data.new-disk

edit

type: keyword

disk being added to vm

auditd.data.parent

edit

type: keyword

the inode number of the parent file

auditd.data.len

edit

type: keyword

length

auditd.data.oflag

edit

type: keyword

open syscall flags

auditd.data.uuid

edit

type: keyword

a UUID

auditd.data.code

edit

type: keyword

seccomp action code

auditd.data.nlnk-grp

edit

type: keyword

netlink group number

auditd.data.cap_fp

edit

type: keyword

file permitted capability map

auditd.data.new-mem

edit

type: keyword

new amount of memory in KB

auditd.data.seperm

edit

type: keyword

SELinux permission being decided on

auditd.data.enforcing

edit

type: keyword

new MAC enforcement status

auditd.data.new-chardev

edit

type: keyword

new character device being assigned to vm

auditd.data.old-rng

edit

type: keyword

device name of rng being removed from a vm

auditd.data.outif

edit

type: keyword

out interface number

auditd.data.cmd

edit

type: keyword

command being executed

auditd.data.hook

edit

type: keyword

netfilter hook that packet came from

auditd.data.new-level

edit

type: keyword

new run level

auditd.data.sauid

edit

type: keyword

sent login user ID

auditd.data.sig

edit

type: keyword

signal number

auditd.data.audit_backlog_wait_time

edit

type: keyword

audit system’s backlog wait time

auditd.data.printer

edit

type: keyword

printer name

auditd.data.old-mem

edit

type: keyword

present amount of memory in KB

auditd.data.perm

edit

type: keyword

the file permission being used

auditd.data.old_pi

edit

type: keyword

old process inherited capability map

auditd.data.state

edit

type: keyword

audit daemon configuration resulting state

auditd.data.format

edit

type: keyword

audit log’s format

auditd.data.new_gid

edit

type: keyword

new group ID being assigned

auditd.data.tcontext

edit

type: keyword

the target’s or object’s context string

auditd.data.maj

edit

type: keyword

device major number

auditd.data.watch

edit

type: keyword

file name in a watch record

auditd.data.device

edit

type: keyword

device name

auditd.data.grp

edit

type: keyword

group name

auditd.data.bool

edit

type: keyword

name of SELinux boolean

auditd.data.icmp_type

edit

type: keyword

type of icmp message

auditd.data.new_lock

edit

type: keyword

new value of feature lock

auditd.data.old_prom

edit

type: keyword

network promiscuity flag

auditd.data.acl

edit

type: keyword

access mode of resource assigned to vm

auditd.data.ip

edit

type: keyword

network address of a printer

auditd.data.new_pi

edit

type: keyword

new process inherited capability map

auditd.data.default-context

edit

type: keyword

default MAC context

auditd.data.inode_gid

edit

type: keyword

group ID of the inode’s owner

auditd.data.new-log_passwd

edit

type: keyword

new value for TTY password logging

auditd.data.new_pe

edit

type: keyword

new process effective capability map

auditd.data.selected-context

edit

type: keyword

new MAC context assigned to session

auditd.data.cap_fver

edit

type: keyword

file system capabilities version number

auditd.data.file

edit

type: keyword

file name

auditd.data.net

edit

type: keyword

network MAC address

auditd.data.virt

edit

type: keyword

kind of virtualization being referenced

auditd.data.cap_pp

edit

type: keyword

process permitted capability map

auditd.data.old-range

edit

type: keyword

present SELinux range

auditd.data.resrc

edit

type: keyword

resource being assigned

auditd.data.new-range

edit

type: keyword

new SELinux range

auditd.data.obj_gid

edit

type: keyword

group ID of object

auditd.data.proto

edit

type: keyword

network protocol

auditd.data.old-disk

edit

type: keyword

disk being removed from vm

auditd.data.audit_failure

edit

type: keyword

audit system’s failure mode

auditd.data.inif

edit

type: keyword

in interface number

auditd.data.vm

edit

type: keyword

virtual machine name

auditd.data.flags

edit

type: keyword

mmap syscall flags

auditd.data.nlnk-fam

edit

type: keyword

netlink protocol number

auditd.data.old-fs

edit

type: keyword

file system being removed from vm

auditd.data.old-ses

edit

type: keyword

previous ses value

auditd.data.seqno

edit

type: keyword

sequence number

auditd.data.fver

edit

type: keyword

file system capabilities version number

auditd.data.qbytes

edit

type: keyword

ipc objects quantity of bytes

auditd.data.seuser

edit

type: keyword

user’s SE Linux user acct

auditd.data.cap_fe

edit

type: keyword

file assigned effective capability map

auditd.data.new-vcpu

edit

type: keyword

new number of CPU cores

auditd.data.old-level

edit

type: keyword

old run level

auditd.data.old_pp

edit

type: keyword

old process permitted capability map

auditd.data.daddr

edit

type: keyword

remote IP address

auditd.data.old-role

edit

type: keyword

present SELinux role

auditd.data.ioctlcmd

edit

type: keyword

The request argument to the ioctl syscall

auditd.data.smac

edit

type: keyword

local MAC address

auditd.data.apparmor

edit

type: keyword

apparmor event information

auditd.data.fe

edit

type: keyword

file assigned effective capability map

auditd.data.perm_mask

edit

type: keyword

file permission mask that triggered a watch event

auditd.data.ses

edit

type: keyword

login session ID

auditd.data.cap_fi

edit

type: keyword

file inherited capability map

auditd.data.obj_uid

edit

type: keyword

user ID of object

auditd.data.reason

edit

type: keyword

text string denoting a reason for the action

auditd.data.list

edit

type: keyword

the audit system’s filter list number

auditd.data.old_lock

edit

type: keyword

present value of feature lock

auditd.data.bus

edit

type: keyword

name of subsystem bus a vm resource belongs to

auditd.data.old_pe

edit

type: keyword

old process effective capability map

auditd.data.new-role

edit

type: keyword

new SELinux role

auditd.data.prom

edit

type: keyword

network promiscuity flag

auditd.data.uri

edit

type: keyword

URI pointing to a printer

auditd.data.audit_enabled

edit

type: keyword

audit systems’s enable/disable status

auditd.data.old-log_passwd

edit

type: keyword

present value for TTY password logging

auditd.data.old-seuser

edit

type: keyword

present SELinux user

auditd.data.per

edit

type: keyword

linux personality

auditd.data.scontext

edit

type: keyword

the subject’s context string

auditd.data.tclass

edit

type: keyword

target’s object classification

auditd.data.ver

edit

type: keyword

audit daemon’s version number

auditd.data.new

edit

type: keyword

value being set in feature

auditd.data.val

edit

type: keyword

generic value associated with the operation

auditd.data.img-ctx

edit

type: keyword

the vm’s disk image context string

auditd.data.old-chardev

edit

type: keyword

present character device assigned to vm

auditd.data.old_val

edit

type: keyword

current value of SELinux boolean

auditd.data.success

edit

type: keyword

whether the syscall was successful or not

auditd.data.inode_uid

edit

type: keyword

user ID of the inode’s owner

auditd.data.removed

edit

type: keyword

number of deleted files

auditd.data.socket.port

edit

type: keyword

The port number.

auditd.data.socket.saddr

edit

type: keyword

The raw socket address structure.

auditd.data.socket.addr

edit

type: keyword

The remote address.

auditd.data.socket.family

edit

type: keyword

example: unix

The socket family (unix, ipv4, ipv6, netlink).

auditd.data.socket.path

edit

type: keyword

This is the path associated with a unix socket.

auditd.messages

edit

type: text

An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if include_raw_message is set in the config.

auditd.warnings

edit

type: keyword

The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.

geoip fields

edit

The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.

geoip.continent_name

edit

type: keyword

The name of the continent.

geoip.city_name

edit

type: keyword

The name of the city.

geoip.region_name

edit

type: keyword

The name of the region.

geoip.country_iso_code

edit

type: keyword

Country ISO code.

geoip.location

edit

type: geo_point

The longitude and latitude.