- Auditbeat Reference: other versions:
- Auditbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Auditbeat
- Configure
- Modules
- General settings
- Project paths
- Config file reloading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_json_fields
- decompress_gzip_field
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- registered_domain
- rename
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- auditbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Common problems
- Auditbeat fails to watch folders because too many files are open
- Auditbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- Contribute to Beats
Auditd fields
editAuditd fields
editThese are the fields generated by the auditd module.
-
user.auid
-
type: alias
alias to: user.audit.id
-
user.uid
-
type: alias
alias to: user.id
-
user.euid
-
type: alias
alias to: user.effective.id
-
user.fsuid
-
type: alias
alias to: user.filesystem.id
-
user.suid
-
type: alias
alias to: user.saved.id
-
user.gid
-
type: alias
alias to: user.group.id
-
user.egid
-
type: alias
alias to: user.effective.group.id
-
user.sgid
-
type: alias
alias to: user.saved.group.id
-
user.fsgid
-
type: alias
alias to: user.filesystem.group.id
name_map
editIf resolve_ids
is set to true in the configuration then name_map
will contain a mapping of uid field names to the resolved name (e.g. auid → root).
-
user.name_map.auid
-
type: alias
alias to: user.audit.name
-
user.name_map.uid
-
type: alias
alias to: user.name
-
user.name_map.euid
-
type: alias
alias to: user.effective.name
-
user.name_map.fsuid
-
type: alias
alias to: user.filesystem.name
-
user.name_map.suid
-
type: alias
alias to: user.saved.name
-
user.name_map.gid
-
type: alias
alias to: user.group.name
-
user.name_map.egid
-
type: alias
alias to: user.effective.group.name
-
user.name_map.sgid
-
type: alias
alias to: user.saved.group.name
-
user.name_map.fsgid
-
type: alias
alias to: user.filesystem.group.name
selinux
editThe SELinux identity of the actor.
-
user.selinux.user
-
account submitted for authentication
type: keyword
-
user.selinux.role
-
user’s SELinux role
type: keyword
-
user.selinux.domain
-
The actor’s SELinux domain or type.
type: keyword
-
user.selinux.level
-
The actor’s SELinux level.
type: keyword
example: s0
-
user.selinux.category
-
The actor’s SELinux category or compartments.
type: keyword
process
editProcess attributes.
-
process.cwd
-
The current working directory.
type: alias
alias to: process.working_directory
source
editSource that triggered the event.
-
source.path
-
This is the path associated with a unix socket.
type: keyword
destination
editDestination address that triggered the event.
-
destination.path
-
This is the path associated with a unix socket.
type: keyword
-
auditd.message_type
-
The audit message type (e.g. syscall or apparmor_denied).
type: keyword
example: syscall
-
auditd.sequence
-
The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
type: long
-
auditd.session
-
The session ID assigned to a login. All events related to a login session will have the same value.
type: keyword
-
auditd.result
-
The result of the audited operation (success/fail).
type: keyword
example: success or fail
actor
editThe actor is the user that triggered the audit event.
-
auditd.summary.actor.primary
-
The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.
type: keyword
-
auditd.summary.actor.secondary
-
The secondary identity of the actor. This is typically the same as the primary, except for when the user has used
su
.type: keyword
object
editThis is the thing or object being acted upon in the event.
-
auditd.summary.object.type
-
A description of the what the "thing" is (e.g. file, socket, user-session).
type: keyword
-
auditd.summary.object.primary
-
type: keyword
-
auditd.summary.object.secondary
-
type: keyword
-
auditd.summary.how
-
This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
type: keyword
paths
editList of paths associated with the event.
-
auditd.paths.inode
-
inode number
type: keyword
-
auditd.paths.dev
-
device name as found in /dev
type: keyword
-
auditd.paths.obj_user
-
type: keyword
-
auditd.paths.obj_role
-
type: keyword
-
auditd.paths.obj_domain
-
type: keyword
-
auditd.paths.obj_level
-
type: keyword
-
auditd.paths.objtype
-
type: keyword
-
auditd.paths.ouid
-
file owner user ID
type: keyword
-
auditd.paths.rdev
-
the device identifier (special files only)
type: keyword
-
auditd.paths.nametype
-
kind of file operation being referenced
type: keyword
-
auditd.paths.ogid
-
file owner group ID
type: keyword
-
auditd.paths.item
-
which item is being recorded
type: keyword
-
auditd.paths.mode
-
mode flags on a file
type: keyword
-
auditd.paths.name
-
file name in avcs
type: keyword
data
editThe data from the audit messages.
-
auditd.data.action
-
netfilter packet disposition
type: keyword
-
auditd.data.minor
-
device minor number
type: keyword
-
auditd.data.acct
-
a user’s account name
type: keyword
-
auditd.data.addr
-
the remote address that the user is connecting from
type: keyword
-
auditd.data.cipher
-
name of crypto cipher selected
type: keyword
-
auditd.data.id
-
during account changes
type: keyword
-
auditd.data.entries
-
number of entries in the netfilter table
type: keyword
-
auditd.data.kind
-
server or client in crypto operation
type: keyword
-
auditd.data.ksize
-
key size for crypto operation
type: keyword
-
auditd.data.spid
-
sent process ID
type: keyword
-
auditd.data.arch
-
the elf architecture flags
type: keyword
-
auditd.data.argc
-
the number of arguments to an execve syscall
type: keyword
-
auditd.data.major
-
device major number
type: keyword
-
auditd.data.unit
-
systemd unit
type: keyword
-
auditd.data.table
-
netfilter table name
type: keyword
-
auditd.data.terminal
-
terminal name the user is running programs on
type: keyword
-
auditd.data.grantors
-
pam modules approving the action
type: keyword
-
auditd.data.direction
-
direction of crypto operation
type: keyword
-
auditd.data.op
-
the operation being performed that is audited
type: keyword
-
auditd.data.tty
-
tty udevice the user is running programs on
type: keyword
-
auditd.data.syscall
-
syscall number in effect when the event occurred
type: keyword
-
auditd.data.data
-
TTY text
type: keyword
-
auditd.data.family
-
netfilter protocol
type: keyword
-
auditd.data.mac
-
crypto MAC algorithm selected
type: keyword
-
auditd.data.pfs
-
perfect forward secrecy method
type: keyword
-
auditd.data.items
-
the number of path records in the event
type: keyword
-
auditd.data.a0
-
type: keyword
-
auditd.data.a1
-
type: keyword
-
auditd.data.a2
-
type: keyword
-
auditd.data.a3
-
type: keyword
-
auditd.data.hostname
-
the hostname that the user is connecting from
type: keyword
-
auditd.data.lport
-
local network port
type: keyword
-
auditd.data.rport
-
remote port number
type: keyword
-
auditd.data.exit
-
syscall exit code
type: keyword
-
auditd.data.fp
-
crypto key finger print
type: keyword
-
auditd.data.laddr
-
local network address
type: keyword
-
auditd.data.sport
-
local port number
type: keyword
-
auditd.data.capability
-
posix capabilities
type: keyword
-
auditd.data.nargs
-
the number of arguments to a socket call
type: keyword
-
auditd.data.new-enabled
-
new TTY audit enabled setting
type: keyword
-
auditd.data.audit_backlog_limit
-
audit system’s backlog queue size
type: keyword
-
auditd.data.dir
-
directory name
type: keyword
-
auditd.data.cap_pe
-
process effective capability map
type: keyword
-
auditd.data.model
-
security model being used for virt
type: keyword
-
auditd.data.new_pp
-
new process permitted capability map
type: keyword
-
auditd.data.old-enabled
-
present TTY audit enabled setting
type: keyword
-
auditd.data.oauid
-
object’s login user ID
type: keyword
-
auditd.data.old
-
old value
type: keyword
-
auditd.data.banners
-
banners used on printed page
type: keyword
-
auditd.data.feature
-
kernel feature being changed
type: keyword
-
auditd.data.vm-ctx
-
the vm’s context string
type: keyword
-
auditd.data.opid
-
object’s process ID
type: keyword
-
auditd.data.seperms
-
SELinux permissions being used
type: keyword
-
auditd.data.seresult
-
SELinux AVC decision granted/denied
type: keyword
-
auditd.data.new-rng
-
device name of rng being added from a vm
type: keyword
-
auditd.data.old-net
-
present MAC address assigned to vm
type: keyword
-
auditd.data.sigev_signo
-
signal number
type: keyword
-
auditd.data.ino
-
inode number
type: keyword
-
auditd.data.old_enforcing
-
old MAC enforcement status
type: keyword
-
auditd.data.old-vcpu
-
present number of CPU cores
type: keyword
-
auditd.data.range
-
user’s SE Linux range
type: keyword
-
auditd.data.res
-
result of the audited operation(success/fail)
type: keyword
-
auditd.data.added
-
number of new files detected
type: keyword
-
auditd.data.fam
-
socket address family
type: keyword
-
auditd.data.nlnk-pid
-
pid of netlink packet sender
type: keyword
-
auditd.data.subj
-
lspp subject’s context string
type: keyword
-
auditd.data.a[0-3]
-
the arguments to a syscall
type: keyword
-
auditd.data.cgroup
-
path to cgroup in sysfs
type: keyword
-
auditd.data.kernel
-
kernel’s version number
type: keyword
-
auditd.data.ocomm
-
object’s command line name
type: keyword
-
auditd.data.new-net
-
MAC address being assigned to vm
type: keyword
-
auditd.data.permissive
-
SELinux is in permissive mode
type: keyword
-
auditd.data.class
-
resource class assigned to vm
type: keyword
-
auditd.data.compat
-
is_compat_task result
type: keyword
-
auditd.data.fi
-
file assigned inherited capability map
type: keyword
-
auditd.data.changed
-
number of changed files
type: keyword
-
auditd.data.msg
-
the payload of the audit record
type: keyword
-
auditd.data.dport
-
remote port number
type: keyword
-
auditd.data.new-seuser
-
new SELinux user
type: keyword
-
auditd.data.invalid_context
-
SELinux context
type: keyword
-
auditd.data.dmac
-
remote MAC address
type: keyword
-
auditd.data.ipx-net
-
IPX network number
type: keyword
-
auditd.data.iuid
-
ipc object’s user ID
type: keyword
-
auditd.data.macproto
-
ethernet packet type ID field
type: keyword
-
auditd.data.obj
-
lspp object context string
type: keyword
-
auditd.data.ipid
-
IP datagram fragment identifier
type: keyword
-
auditd.data.new-fs
-
file system being added to vm
type: keyword
-
auditd.data.vm-pid
-
vm’s process ID
type: keyword
-
auditd.data.cap_pi
-
process inherited capability map
type: keyword
-
auditd.data.old-auid
-
previous auid value
type: keyword
-
auditd.data.oses
-
object’s session ID
type: keyword
-
auditd.data.fd
-
file descriptor number
type: keyword
-
auditd.data.igid
-
ipc object’s group ID
type: keyword
-
auditd.data.new-disk
-
disk being added to vm
type: keyword
-
auditd.data.parent
-
the inode number of the parent file
type: keyword
-
auditd.data.len
-
length
type: keyword
-
auditd.data.oflag
-
open syscall flags
type: keyword
-
auditd.data.uuid
-
a UUID
type: keyword
-
auditd.data.code
-
seccomp action code
type: keyword
-
auditd.data.nlnk-grp
-
netlink group number
type: keyword
-
auditd.data.cap_fp
-
file permitted capability map
type: keyword
-
auditd.data.new-mem
-
new amount of memory in KB
type: keyword
-
auditd.data.seperm
-
SELinux permission being decided on
type: keyword
-
auditd.data.enforcing
-
new MAC enforcement status
type: keyword
-
auditd.data.new-chardev
-
new character device being assigned to vm
type: keyword
-
auditd.data.old-rng
-
device name of rng being removed from a vm
type: keyword
-
auditd.data.outif
-
out interface number
type: keyword
-
auditd.data.cmd
-
command being executed
type: keyword
-
auditd.data.hook
-
netfilter hook that packet came from
type: keyword
-
auditd.data.new-level
-
new run level
type: keyword
-
auditd.data.sauid
-
sent login user ID
type: keyword
-
auditd.data.sig
-
signal number
type: keyword
-
auditd.data.audit_backlog_wait_time
-
audit system’s backlog wait time
type: keyword
-
auditd.data.printer
-
printer name
type: keyword
-
auditd.data.old-mem
-
present amount of memory in KB
type: keyword
-
auditd.data.perm
-
the file permission being used
type: keyword
-
auditd.data.old_pi
-
old process inherited capability map
type: keyword
-
auditd.data.state
-
audit daemon configuration resulting state
type: keyword
-
auditd.data.format
-
audit log’s format
type: keyword
-
auditd.data.new_gid
-
new group ID being assigned
type: keyword
-
auditd.data.tcontext
-
the target’s or object’s context string
type: keyword
-
auditd.data.maj
-
device major number
type: keyword
-
auditd.data.watch
-
file name in a watch record
type: keyword
-
auditd.data.device
-
device name
type: keyword
-
auditd.data.grp
-
group name
type: keyword
-
auditd.data.bool
-
name of SELinux boolean
type: keyword
-
auditd.data.icmp_type
-
type of icmp message
type: keyword
-
auditd.data.new_lock
-
new value of feature lock
type: keyword
-
auditd.data.old_prom
-
network promiscuity flag
type: keyword
-
auditd.data.acl
-
access mode of resource assigned to vm
type: keyword
-
auditd.data.ip
-
network address of a printer
type: keyword
-
auditd.data.new_pi
-
new process inherited capability map
type: keyword
-
auditd.data.default-context
-
default MAC context
type: keyword
-
auditd.data.inode_gid
-
group ID of the inode’s owner
type: keyword
-
auditd.data.new-log_passwd
-
new value for TTY password logging
type: keyword
-
auditd.data.new_pe
-
new process effective capability map
type: keyword
-
auditd.data.selected-context
-
new MAC context assigned to session
type: keyword
-
auditd.data.cap_fver
-
file system capabilities version number
type: keyword
-
auditd.data.file
-
file name
type: keyword
-
auditd.data.net
-
network MAC address
type: keyword
-
auditd.data.virt
-
kind of virtualization being referenced
type: keyword
-
auditd.data.cap_pp
-
process permitted capability map
type: keyword
-
auditd.data.old-range
-
present SELinux range
type: keyword
-
auditd.data.resrc
-
resource being assigned
type: keyword
-
auditd.data.new-range
-
new SELinux range
type: keyword
-
auditd.data.obj_gid
-
group ID of object
type: keyword
-
auditd.data.proto
-
network protocol
type: keyword
-
auditd.data.old-disk
-
disk being removed from vm
type: keyword
-
auditd.data.audit_failure
-
audit system’s failure mode
type: keyword
-
auditd.data.inif
-
in interface number
type: keyword
-
auditd.data.vm
-
virtual machine name
type: keyword
-
auditd.data.flags
-
mmap syscall flags
type: keyword
-
auditd.data.nlnk-fam
-
netlink protocol number
type: keyword
-
auditd.data.old-fs
-
file system being removed from vm
type: keyword
-
auditd.data.old-ses
-
previous ses value
type: keyword
-
auditd.data.seqno
-
sequence number
type: keyword
-
auditd.data.fver
-
file system capabilities version number
type: keyword
-
auditd.data.qbytes
-
ipc objects quantity of bytes
type: keyword
-
auditd.data.seuser
-
user’s SE Linux user acct
type: keyword
-
auditd.data.cap_fe
-
file assigned effective capability map
type: keyword
-
auditd.data.new-vcpu
-
new number of CPU cores
type: keyword
-
auditd.data.old-level
-
old run level
type: keyword
-
auditd.data.old_pp
-
old process permitted capability map
type: keyword
-
auditd.data.daddr
-
remote IP address
type: keyword
-
auditd.data.old-role
-
present SELinux role
type: keyword
-
auditd.data.ioctlcmd
-
The request argument to the ioctl syscall
type: keyword
-
auditd.data.smac
-
local MAC address
type: keyword
-
auditd.data.apparmor
-
apparmor event information
type: keyword
-
auditd.data.fe
-
file assigned effective capability map
type: keyword
-
auditd.data.perm_mask
-
file permission mask that triggered a watch event
type: keyword
-
auditd.data.ses
-
login session ID
type: keyword
-
auditd.data.cap_fi
-
file inherited capability map
type: keyword
-
auditd.data.obj_uid
-
user ID of object
type: keyword
-
auditd.data.reason
-
text string denoting a reason for the action
type: keyword
-
auditd.data.list
-
the audit system’s filter list number
type: keyword
-
auditd.data.old_lock
-
present value of feature lock
type: keyword
-
auditd.data.bus
-
name of subsystem bus a vm resource belongs to
type: keyword
-
auditd.data.old_pe
-
old process effective capability map
type: keyword
-
auditd.data.new-role
-
new SELinux role
type: keyword
-
auditd.data.prom
-
network promiscuity flag
type: keyword
-
auditd.data.uri
-
URI pointing to a printer
type: keyword
-
auditd.data.audit_enabled
-
audit systems’s enable/disable status
type: keyword
-
auditd.data.old-log_passwd
-
present value for TTY password logging
type: keyword
-
auditd.data.old-seuser
-
present SELinux user
type: keyword
-
auditd.data.per
-
linux personality
type: keyword
-
auditd.data.scontext
-
the subject’s context string
type: keyword
-
auditd.data.tclass
-
target’s object classification
type: keyword
-
auditd.data.ver
-
audit daemon’s version number
type: keyword
-
auditd.data.new
-
value being set in feature
type: keyword
-
auditd.data.val
-
generic value associated with the operation
type: keyword
-
auditd.data.img-ctx
-
the vm’s disk image context string
type: keyword
-
auditd.data.old-chardev
-
present character device assigned to vm
type: keyword
-
auditd.data.old_val
-
current value of SELinux boolean
type: keyword
-
auditd.data.success
-
whether the syscall was successful or not
type: keyword
-
auditd.data.inode_uid
-
user ID of the inode’s owner
type: keyword
-
auditd.data.removed
-
number of deleted files
type: keyword
-
auditd.data.socket.port
-
The port number.
type: keyword
-
auditd.data.socket.saddr
-
The raw socket address structure.
type: keyword
-
auditd.data.socket.addr
-
The remote address.
type: keyword
-
auditd.data.socket.family
-
The socket family (unix, ipv4, ipv6, netlink).
type: keyword
example: unix
-
auditd.data.socket.path
-
This is the path associated with a unix socket.
type: keyword
-
auditd.messages
-
An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if
include_raw_message
is set in the config.type: alias
alias to: event.original
-
auditd.warnings
-
The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
type: alias
alias to: error.message
geoip
editThe geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.
-
geoip.continent_name
-
The name of the continent.
type: keyword
-
geoip.city_name
-
The name of the city.
type: keyword
-
geoip.region_name
-
The name of the region.
type: keyword
-
geoip.country_iso_code
-
Country ISO code.
type: keyword
-
geoip.location
-
The longitude and latitude.
type: geo_point