- Auditbeat Reference: other versions:
- Auditbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Auditbeat
- Configure
- Modules
- General settings
- Project paths
- Config file reloading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- rate_limit
- registered_domain
- rename
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- auditbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Common problems
- Auditbeat fails to watch folders because too many files are open
- Auditbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- Contribute to Beats
Common fields
editCommon fields
editContains common fields available in all event types.
file
editFile attributes.
-
file.setuid -
Set if the file has the
setuidbit set. Omitted otherwise.type: boolean
example: True
-
file.setgid -
Set if the file has the
setgidbit set. Omitted otherwise.type: boolean
example: True
-
file.origin -
An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
type: keyword
-
file.origin.raw -
This is a non-analyzed field that is useful for aggregations on the origin data.
type: keyword
selinux
editThe SELinux identity of the file.
-
file.selinux.user -
The owner of the object.
type: keyword
-
file.selinux.role -
The object’s SELinux role.
type: keyword
-
file.selinux.domain -
The object’s SELinux domain or type.
type: keyword
-
file.selinux.level -
The object’s SELinux level.
type: keyword
example: s0
user
editUser information.
audit
editAudit user information.
-
user.audit.id -
Audit user ID.
type: keyword
-
user.audit.name -
Audit user name.
type: keyword
filesystem
editFilesystem user information.
-
user.filesystem.id -
Filesystem user ID.
type: keyword
-
user.filesystem.name -
Filesystem user name.
type: keyword
group
editFilesystem group information.
-
user.filesystem.group.id -
Filesystem group ID.
type: keyword
-
user.filesystem.group.name -
Filesystem group name.
type: keyword
saved
editSaved user information.
-
user.saved.id -
Saved user ID.
type: keyword
-
user.saved.name -
Saved user name.
type: keyword
group
editSaved group information.
-
user.saved.group.id -
Saved group ID.
type: keyword
-
user.saved.group.name -
Saved group name.
type: keyword