Auditd fields
editAuditd fields
editThese are the fields generated by the auditd module.
-
user.auid
-
type: alias
alias to: user.audit.id
-
user.uid
-
type: alias
alias to: user.id
-
user.euid
-
type: alias
alias to: user.effective.id
-
user.fsuid
-
type: alias
alias to: user.filesystem.id
-
user.suid
-
type: alias
alias to: user.saved.id
-
user.gid
-
type: alias
alias to: user.group.id
-
user.egid
-
type: alias
alias to: user.effective.group.id
-
user.sgid
-
type: alias
alias to: user.saved.group.id
-
user.fsgid
-
type: alias
alias to: user.filesystem.group.id
name_map fields
editIf resolve_ids
is set to true in the configuration then name_map
will contain a mapping of uid field names to the resolved name (e.g. auid → root).
-
user.name_map.auid
-
type: alias
alias to: user.audit.name
-
user.name_map.uid
-
type: alias
alias to: user.name
-
user.name_map.euid
-
type: alias
alias to: user.effective.name
-
user.name_map.fsuid
-
type: alias
alias to: user.filesystem.name
-
user.name_map.suid
-
type: alias
alias to: user.saved.name
-
user.name_map.gid
-
type: alias
alias to: user.group.name
-
user.name_map.egid
-
type: alias
alias to: user.effective.group.name
-
user.name_map.sgid
-
type: alias
alias to: user.saved.group.name
-
user.name_map.fsgid
-
type: alias
alias to: user.filesystem.group.name
selinux fields
editThe SELinux identity of the actor.
-
user.selinux.user
-
type: keyword
account submitted for authentication
-
user.selinux.role
-
type: keyword
user’s SELinux role
-
user.selinux.domain
-
type: keyword
The actor’s SELinux domain or type.
-
user.selinux.level
-
type: keyword
example: s0
The actor’s SELinux level.
-
user.selinux.category
-
type: keyword
The actor’s SELinux category or compartments.
process fields
editProcess attributes.
-
process.cwd
-
type: alias
alias to: process.working_directory
The current working directory.
source fields
editSource that triggered the event.
-
source.path
-
type: keyword
This is the path associated with a unix socket.
destination fields
editDestination address that triggered the event.
-
destination.path
-
type: keyword
This is the path associated with a unix socket.
-
auditd.message_type
-
type: keyword
example: syscall
The audit message type (e.g. syscall or apparmor_denied).
-
auditd.sequence
-
type: long
The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
-
auditd.session
-
type: keyword
The session ID assigned to a login. All events related to a login session will have the same value.
-
auditd.result
-
type: keyword
example: success or fail
The result of the audited operation (success/fail).
actor fields
editThe actor is the user that triggered the audit event.
-
auditd.summary.actor.primary
-
type: keyword
The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.
-
auditd.summary.actor.secondary
-
type: keyword
The secondary identity of the actor. This is typically the same as the primary, except for when the user has used
su
.
object fields
editThis is the thing or object being acted upon in the event.
-
auditd.summary.object.type
-
type: keyword
A description of the what the "thing" is (e.g. file, socket, user-session).
-
auditd.summary.object.primary
-
type: keyword
-
auditd.summary.object.secondary
-
type: keyword
-
auditd.summary.how
-
type: keyword
This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
paths fields
editList of paths associated with the event.
-
auditd.paths.inode
-
type: keyword
inode number
-
auditd.paths.dev
-
type: keyword
device name as found in /dev
-
auditd.paths.obj_user
-
type: keyword
-
auditd.paths.obj_role
-
type: keyword
-
auditd.paths.obj_domain
-
type: keyword
-
auditd.paths.obj_level
-
type: keyword
-
auditd.paths.objtype
-
type: keyword
-
auditd.paths.ouid
-
type: keyword
file owner user ID
-
auditd.paths.rdev
-
type: keyword
the device identifier (special files only)
-
auditd.paths.nametype
-
type: keyword
kind of file operation being referenced
-
auditd.paths.ogid
-
type: keyword
file owner group ID
-
auditd.paths.item
-
type: keyword
which item is being recorded
-
auditd.paths.mode
-
type: keyword
mode flags on a file
-
auditd.paths.name
-
type: keyword
file name in avcs
data fields
editThe data from the audit messages.
-
auditd.data.action
-
type: keyword
netfilter packet disposition
-
auditd.data.minor
-
type: keyword
device minor number
-
auditd.data.acct
-
type: keyword
a user’s account name
-
auditd.data.addr
-
type: keyword
the remote address that the user is connecting from
-
auditd.data.cipher
-
type: keyword
name of crypto cipher selected
-
auditd.data.id
-
type: keyword
during account changes
-
auditd.data.entries
-
type: keyword
number of entries in the netfilter table
-
auditd.data.kind
-
type: keyword
server or client in crypto operation
-
auditd.data.ksize
-
type: keyword
key size for crypto operation
-
auditd.data.spid
-
type: keyword
sent process ID
-
auditd.data.arch
-
type: keyword
the elf architecture flags
-
auditd.data.argc
-
type: keyword
the number of arguments to an execve syscall
-
auditd.data.major
-
type: keyword
device major number
-
auditd.data.unit
-
type: keyword
systemd unit
-
auditd.data.table
-
type: keyword
netfilter table name
-
auditd.data.terminal
-
type: keyword
terminal name the user is running programs on
-
auditd.data.grantors
-
type: keyword
pam modules approving the action
-
auditd.data.direction
-
type: keyword
direction of crypto operation
-
auditd.data.op
-
type: keyword
the operation being performed that is audited
-
auditd.data.tty
-
type: keyword
tty udevice the user is running programs on
-
auditd.data.syscall
-
type: keyword
syscall number in effect when the event occurred
-
auditd.data.data
-
type: keyword
TTY text
-
auditd.data.family
-
type: keyword
netfilter protocol
-
auditd.data.mac
-
type: keyword
crypto MAC algorithm selected
-
auditd.data.pfs
-
type: keyword
perfect forward secrecy method
-
auditd.data.items
-
type: keyword
the number of path records in the event
-
auditd.data.a0
-
type: keyword
-
auditd.data.a1
-
type: keyword
-
auditd.data.a2
-
type: keyword
-
auditd.data.a3
-
type: keyword
-
auditd.data.hostname
-
type: keyword
the hostname that the user is connecting from
-
auditd.data.lport
-
type: keyword
local network port
-
auditd.data.rport
-
type: keyword
remote port number
-
auditd.data.exit
-
type: keyword
syscall exit code
-
auditd.data.fp
-
type: keyword
crypto key finger print
-
auditd.data.laddr
-
type: keyword
local network address
-
auditd.data.sport
-
type: keyword
local port number
-
auditd.data.capability
-
type: keyword
posix capabilities
-
auditd.data.nargs
-
type: keyword
the number of arguments to a socket call
-
auditd.data.new-enabled
-
type: keyword
new TTY audit enabled setting
-
auditd.data.audit_backlog_limit
-
type: keyword
audit system’s backlog queue size
-
auditd.data.dir
-
type: keyword
directory name
-
auditd.data.cap_pe
-
type: keyword
process effective capability map
-
auditd.data.model
-
type: keyword
security model being used for virt
-
auditd.data.new_pp
-
type: keyword
new process permitted capability map
-
auditd.data.old-enabled
-
type: keyword
present TTY audit enabled setting
-
auditd.data.oauid
-
type: keyword
object’s login user ID
-
auditd.data.old
-
type: keyword
old value
-
auditd.data.banners
-
type: keyword
banners used on printed page
-
auditd.data.feature
-
type: keyword
kernel feature being changed
-
auditd.data.vm-ctx
-
type: keyword
the vm’s context string
-
auditd.data.opid
-
type: keyword
object’s process ID
-
auditd.data.seperms
-
type: keyword
SELinux permissions being used
-
auditd.data.seresult
-
type: keyword
SELinux AVC decision granted/denied
-
auditd.data.new-rng
-
type: keyword
device name of rng being added from a vm
-
auditd.data.old-net
-
type: keyword
present MAC address assigned to vm
-
auditd.data.sigev_signo
-
type: keyword
signal number
-
auditd.data.ino
-
type: keyword
inode number
-
auditd.data.old_enforcing
-
type: keyword
old MAC enforcement status
-
auditd.data.old-vcpu
-
type: keyword
present number of CPU cores
-
auditd.data.range
-
type: keyword
user’s SE Linux range
-
auditd.data.res
-
type: keyword
result of the audited operation(success/fail)
-
auditd.data.added
-
type: keyword
number of new files detected
-
auditd.data.fam
-
type: keyword
socket address family
-
auditd.data.nlnk-pid
-
type: keyword
pid of netlink packet sender
-
auditd.data.subj
-
type: keyword
lspp subject’s context string
-
auditd.data.a[0-3]
-
type: keyword
the arguments to a syscall
-
auditd.data.cgroup
-
type: keyword
path to cgroup in sysfs
-
auditd.data.kernel
-
type: keyword
kernel’s version number
-
auditd.data.ocomm
-
type: keyword
object’s command line name
-
auditd.data.new-net
-
type: keyword
MAC address being assigned to vm
-
auditd.data.permissive
-
type: keyword
SELinux is in permissive mode
-
auditd.data.class
-
type: keyword
resource class assigned to vm
-
auditd.data.compat
-
type: keyword
is_compat_task result
-
auditd.data.fi
-
type: keyword
file assigned inherited capability map
-
auditd.data.changed
-
type: keyword
number of changed files
-
auditd.data.msg
-
type: keyword
the payload of the audit record
-
auditd.data.dport
-
type: keyword
remote port number
-
auditd.data.new-seuser
-
type: keyword
new SELinux user
-
auditd.data.invalid_context
-
type: keyword
SELinux context
-
auditd.data.dmac
-
type: keyword
remote MAC address
-
auditd.data.ipx-net
-
type: keyword
IPX network number
-
auditd.data.iuid
-
type: keyword
ipc object’s user ID
-
auditd.data.macproto
-
type: keyword
ethernet packet type ID field
-
auditd.data.obj
-
type: keyword
lspp object context string
-
auditd.data.ipid
-
type: keyword
IP datagram fragment identifier
-
auditd.data.new-fs
-
type: keyword
file system being added to vm
-
auditd.data.vm-pid
-
type: keyword
vm’s process ID
-
auditd.data.cap_pi
-
type: keyword
process inherited capability map
-
auditd.data.old-auid
-
type: keyword
previous auid value
-
auditd.data.oses
-
type: keyword
object’s session ID
-
auditd.data.fd
-
type: keyword
file descriptor number
-
auditd.data.igid
-
type: keyword
ipc object’s group ID
-
auditd.data.new-disk
-
type: keyword
disk being added to vm
-
auditd.data.parent
-
type: keyword
the inode number of the parent file
-
auditd.data.len
-
type: keyword
length
-
auditd.data.oflag
-
type: keyword
open syscall flags
-
auditd.data.uuid
-
type: keyword
a UUID
-
auditd.data.code
-
type: keyword
seccomp action code
-
auditd.data.nlnk-grp
-
type: keyword
netlink group number
-
auditd.data.cap_fp
-
type: keyword
file permitted capability map
-
auditd.data.new-mem
-
type: keyword
new amount of memory in KB
-
auditd.data.seperm
-
type: keyword
SELinux permission being decided on
-
auditd.data.enforcing
-
type: keyword
new MAC enforcement status
-
auditd.data.new-chardev
-
type: keyword
new character device being assigned to vm
-
auditd.data.old-rng
-
type: keyword
device name of rng being removed from a vm
-
auditd.data.outif
-
type: keyword
out interface number
-
auditd.data.cmd
-
type: keyword
command being executed
-
auditd.data.hook
-
type: keyword
netfilter hook that packet came from
-
auditd.data.new-level
-
type: keyword
new run level
-
auditd.data.sauid
-
type: keyword
sent login user ID
-
auditd.data.sig
-
type: keyword
signal number
-
auditd.data.audit_backlog_wait_time
-
type: keyword
audit system’s backlog wait time
-
auditd.data.printer
-
type: keyword
printer name
-
auditd.data.old-mem
-
type: keyword
present amount of memory in KB
-
auditd.data.perm
-
type: keyword
the file permission being used
-
auditd.data.old_pi
-
type: keyword
old process inherited capability map
-
auditd.data.state
-
type: keyword
audit daemon configuration resulting state
-
auditd.data.format
-
type: keyword
audit log’s format
-
auditd.data.new_gid
-
type: keyword
new group ID being assigned
-
auditd.data.tcontext
-
type: keyword
the target’s or object’s context string
-
auditd.data.maj
-
type: keyword
device major number
-
auditd.data.watch
-
type: keyword
file name in a watch record
-
auditd.data.device
-
type: keyword
device name
-
auditd.data.grp
-
type: keyword
group name
-
auditd.data.bool
-
type: keyword
name of SELinux boolean
-
auditd.data.icmp_type
-
type: keyword
type of icmp message
-
auditd.data.new_lock
-
type: keyword
new value of feature lock
-
auditd.data.old_prom
-
type: keyword
network promiscuity flag
-
auditd.data.acl
-
type: keyword
access mode of resource assigned to vm
-
auditd.data.ip
-
type: keyword
network address of a printer
-
auditd.data.new_pi
-
type: keyword
new process inherited capability map
-
auditd.data.default-context
-
type: keyword
default MAC context
-
auditd.data.inode_gid
-
type: keyword
group ID of the inode’s owner
-
auditd.data.new-log_passwd
-
type: keyword
new value for TTY password logging
-
auditd.data.new_pe
-
type: keyword
new process effective capability map
-
auditd.data.selected-context
-
type: keyword
new MAC context assigned to session
-
auditd.data.cap_fver
-
type: keyword
file system capabilities version number
-
auditd.data.file
-
type: keyword
file name
-
auditd.data.net
-
type: keyword
network MAC address
-
auditd.data.virt
-
type: keyword
kind of virtualization being referenced
-
auditd.data.cap_pp
-
type: keyword
process permitted capability map
-
auditd.data.old-range
-
type: keyword
present SELinux range
-
auditd.data.resrc
-
type: keyword
resource being assigned
-
auditd.data.new-range
-
type: keyword
new SELinux range
-
auditd.data.obj_gid
-
type: keyword
group ID of object
-
auditd.data.proto
-
type: keyword
network protocol
-
auditd.data.old-disk
-
type: keyword
disk being removed from vm
-
auditd.data.audit_failure
-
type: keyword
audit system’s failure mode
-
auditd.data.inif
-
type: keyword
in interface number
-
auditd.data.vm
-
type: keyword
virtual machine name
-
auditd.data.flags
-
type: keyword
mmap syscall flags
-
auditd.data.nlnk-fam
-
type: keyword
netlink protocol number
-
auditd.data.old-fs
-
type: keyword
file system being removed from vm
-
auditd.data.old-ses
-
type: keyword
previous ses value
-
auditd.data.seqno
-
type: keyword
sequence number
-
auditd.data.fver
-
type: keyword
file system capabilities version number
-
auditd.data.qbytes
-
type: keyword
ipc objects quantity of bytes
-
auditd.data.seuser
-
type: keyword
user’s SE Linux user acct
-
auditd.data.cap_fe
-
type: keyword
file assigned effective capability map
-
auditd.data.new-vcpu
-
type: keyword
new number of CPU cores
-
auditd.data.old-level
-
type: keyword
old run level
-
auditd.data.old_pp
-
type: keyword
old process permitted capability map
-
auditd.data.daddr
-
type: keyword
remote IP address
-
auditd.data.old-role
-
type: keyword
present SELinux role
-
auditd.data.ioctlcmd
-
type: keyword
The request argument to the ioctl syscall
-
auditd.data.smac
-
type: keyword
local MAC address
-
auditd.data.apparmor
-
type: keyword
apparmor event information
-
auditd.data.fe
-
type: keyword
file assigned effective capability map
-
auditd.data.perm_mask
-
type: keyword
file permission mask that triggered a watch event
-
auditd.data.ses
-
type: keyword
login session ID
-
auditd.data.cap_fi
-
type: keyword
file inherited capability map
-
auditd.data.obj_uid
-
type: keyword
user ID of object
-
auditd.data.reason
-
type: keyword
text string denoting a reason for the action
-
auditd.data.list
-
type: keyword
the audit system’s filter list number
-
auditd.data.old_lock
-
type: keyword
present value of feature lock
-
auditd.data.bus
-
type: keyword
name of subsystem bus a vm resource belongs to
-
auditd.data.old_pe
-
type: keyword
old process effective capability map
-
auditd.data.new-role
-
type: keyword
new SELinux role
-
auditd.data.prom
-
type: keyword
network promiscuity flag
-
auditd.data.uri
-
type: keyword
URI pointing to a printer
-
auditd.data.audit_enabled
-
type: keyword
audit systems’s enable/disable status
-
auditd.data.old-log_passwd
-
type: keyword
present value for TTY password logging
-
auditd.data.old-seuser
-
type: keyword
present SELinux user
-
auditd.data.per
-
type: keyword
linux personality
-
auditd.data.scontext
-
type: keyword
the subject’s context string
-
auditd.data.tclass
-
type: keyword
target’s object classification
-
auditd.data.ver
-
type: keyword
audit daemon’s version number
-
auditd.data.new
-
type: keyword
value being set in feature
-
auditd.data.val
-
type: keyword
generic value associated with the operation
-
auditd.data.img-ctx
-
type: keyword
the vm’s disk image context string
-
auditd.data.old-chardev
-
type: keyword
present character device assigned to vm
-
auditd.data.old_val
-
type: keyword
current value of SELinux boolean
-
auditd.data.success
-
type: keyword
whether the syscall was successful or not
-
auditd.data.inode_uid
-
type: keyword
user ID of the inode’s owner
-
auditd.data.removed
-
type: keyword
number of deleted files
-
auditd.data.socket.port
-
type: keyword
The port number.
-
auditd.data.socket.saddr
-
type: keyword
The raw socket address structure.
-
auditd.data.socket.addr
-
type: keyword
The remote address.
-
auditd.data.socket.family
-
type: keyword
example: unix
The socket family (unix, ipv4, ipv6, netlink).
-
auditd.data.socket.path
-
type: keyword
This is the path associated with a unix socket.
-
auditd.messages
-
type: alias
alias to: event.original
An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if
include_raw_message
is set in the config. -
auditd.warnings
-
type: alias
alias to: error.message
The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
geoip fields
editThe geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.
-
geoip.continent_name
-
type: keyword
The name of the continent.
-
geoip.city_name
-
type: keyword
The name of the city.
-
geoip.region_name
-
type: keyword
The name of the region.
-
geoip.country_iso_code
-
type: keyword
Country ISO code.
-
geoip.location
-
type: geo_point
The longitude and latitude.