Auditd fields
editAuditd fields
editModule for parsing auditd logs.
-
user.terminal
-
type: keyword
Terminal or tty device on which the user is performing the observed activity.
-
user.audit.id
-
type: keyword
One or multiple unique identifiers of the user.
-
user.audit.name
-
type: keyword
example: albert
Short name or login of the user.
-
user.audit.group.id
-
type: keyword
Unique identifier for the group on the system/platform.
-
user.audit.group.name
-
type: keyword
Name of the group.
-
user.effective.id
-
type: keyword
One or multiple unique identifiers of the user.
-
user.effective.name
-
type: keyword
example: albert
Short name or login of the user.
-
user.effective.group.id
-
type: keyword
Unique identifier for the group on the system/platform.
-
user.effective.group.name
-
type: keyword
Name of the group.
-
user.filesystem.id
-
type: keyword
One or multiple unique identifiers of the user.
-
user.filesystem.name
-
type: keyword
example: albert
Short name or login of the user.
-
user.filesystem.group.id
-
type: keyword
Unique identifier for the group on the system/platform.
-
user.filesystem.group.name
-
type: keyword
Name of the group.
-
user.owner.id
-
type: keyword
One or multiple unique identifiers of the user.
-
user.owner.name
-
type: keyword
example: albert
Short name or login of the user.
-
user.owner.group.id
-
type: keyword
Unique identifier for the group on the system/platform.
-
user.owner.group.name
-
type: keyword
Name of the group.
-
user.saved.id
-
type: keyword
One or multiple unique identifiers of the user.
-
user.saved.name
-
type: keyword
example: albert
Short name or login of the user.
-
user.saved.group.id
-
type: keyword
Unique identifier for the group on the system/platform.
-
user.saved.group.name
-
type: keyword
Name of the group.
auditd fields
editFields from the auditd logs.
log fields
editFields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type.
-
auditd.log.old_auid
-
For login events this is the old audit ID used for the user prior to this login.
-
auditd.log.new_auid
-
For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
-
auditd.log.old_ses
-
For login events this is the old session ID used for the user prior to this login.
-
auditd.log.new_ses
-
For login events this is the new session ID. It can be used to tie a user to future events by session ID.
-
auditd.log.sequence
-
type: long
The audit event sequence number.
-
auditd.log.items
-
The number of items in an event.
-
auditd.log.item
-
The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.
-
auditd.log.tty
-
type: keyword
-
auditd.log.a0
-
The first argument to the system call.
-
auditd.log.addr
-
type: ip
-
auditd.log.rport
-
type: long
-
auditd.log.laddr
-
type: ip
-
auditd.log.lport
-
type: long
-
auditd.log.acct
-
type: alias
alias to: user.name
-
auditd.log.pid
-
type: alias
alias to: process.pid
-
auditd.log.ppid
-
type: alias
alias to: process.ppid
-
auditd.log.res
-
type: alias
alias to: event.outcome
-
auditd.log.record_type
-
type: alias
alias to: event.action
-
auditd.log.geoip.continent_name
-
type: alias
alias to: source.geo.continent_name
-
auditd.log.geoip.country_iso_code
-
type: alias
alias to: source.geo.country_iso_code
-
auditd.log.geoip.location
-
type: alias
alias to: source.geo.location
-
auditd.log.geoip.region_name
-
type: alias
alias to: source.geo.region_name
-
auditd.log.geoip.city_name
-
type: alias
alias to: source.geo.city_name
-
auditd.log.geoip.region_iso_code
-
type: alias
alias to: source.geo.region_iso_code
-
auditd.log.arch
-
type: alias
alias to: host.architecture
-
auditd.log.gid
-
type: alias
alias to: user.group.id
-
auditd.log.uid
-
type: alias
alias to: user.id
-
auditd.log.agid
-
type: alias
alias to: user.audit.group.id
-
auditd.log.auid
-
type: alias
alias to: user.audit.id
-
auditd.log.fsgid
-
type: alias
alias to: user.filesystem.group.id
-
auditd.log.fsuid
-
type: alias
alias to: user.filesystem.id
-
auditd.log.egid
-
type: alias
alias to: user.effective.group.id
-
auditd.log.euid
-
type: alias
alias to: user.effective.id
-
auditd.log.sgid
-
type: alias
alias to: user.saved.group.id
-
auditd.log.suid
-
type: alias
alias to: user.saved.id
-
auditd.log.ogid
-
type: alias
alias to: user.owner.group.id
-
auditd.log.ouid
-
type: alias
alias to: user.owner.id
-
auditd.log.comm
-
type: alias
alias to: process.name
-
auditd.log.exe
-
type: alias
alias to: process.executable
-
auditd.log.terminal
-
type: alias
alias to: user.terminal
-
auditd.log.msg
-
type: alias
alias to: message
-
auditd.log.src
-
type: alias
alias to: source.address
-
auditd.log.dst
-
type: alias
alias to: destination.address