- Auditbeat Reference: other versions:
- Overview
- Getting started with Auditbeat
- Setting up and running Auditbeat
- Upgrading Auditbeat
- Configuring Auditbeat
- Specify which modules to run
- Specify general settings
- Reload the configuration dynamically
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode JSON fields
- Drop events
- Drop fields from events
- Keep fields from events
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure project paths
- Configure the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- auditbeat.reference.yml
- Modules
- Exported fields
- Monitoring Auditbeat
- Securing Auditbeat
- Troubleshooting
- Contributing to Beats
Common fields
editCommon fields
editContains common fields available in all event types.
file fields
editFile attributes.
-
file.setuid -
type: boolean
example: True
Set if the file has the
setuidbit set. Omitted otherwise. -
file.setgid -
type: boolean
example: True
Set if the file has the
setgidbit set. Omitted otherwise. -
file.origin -
type: keyword
An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
-
file.origin.raw -
type: keyword
This is a non-analyzed field that is useful for aggregations on the origin data.
selinux fields
editThe SELinux identity of the file.
-
file.selinux.user -
type: keyword
The owner of the object.
-
file.selinux.role -
type: keyword
The object’s SELinux role.
-
file.selinux.domain -
type: keyword
The object’s SELinux domain or type.
-
file.selinux.level -
type: keyword
example: s0
The object’s SELinux level.
user fields
editUser information.
audit fields
editAudit user information.
-
user.audit.id -
type: keyword
Audit user ID.
-
user.audit.name -
type: keyword
Audit user name.
effective fields
editEffective user information.
-
user.effective.id -
type: keyword
Effective user ID.
-
user.effective.name -
type: keyword
Effective user name.
group fields
editEffective group information.
-
user.effective.group.id -
type: keyword
Effective group ID.
-
user.effective.group.name -
type: keyword
Effective group name.
filesystem fields
editFilesystem user information.
-
user.filesystem.id -
type: keyword
Filesystem user ID.
-
user.filesystem.name -
type: keyword
Filesystem user name.
group fields
editFilesystem group information.
-
user.filesystem.group.id -
type: keyword
Filesystem group ID.
-
user.filesystem.group.name -
type: keyword
Filesystem group name.
saved fields
editSaved user information.
-
user.saved.id -
type: keyword
Saved user ID.
-
user.saved.name -
type: keyword
Saved user name.
group fields
editSaved group information.
-
user.saved.group.id -
type: keyword
Saved group ID.
-
user.saved.group.name -
type: keyword
Saved group name.
On this page