WARNING: Version 6.0 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Audit Fieldsedit
The audit
module reports security-relevant information based on data captured from the operating system (OS) or services running on the OS.
audit Fieldsedit
file Fieldsedit
The file metricset generates events when a file changes on disk.
audit.file.pathedit
type: keyword
The path to the file.
audit.file.target_pathedit
type: keyword
The target path for symlinks.
audit.file.actionedit
type: keyword
example: attributes_modified
Action describes the change to the file. The possible values are: attributes_modified, created, deleted, updated, and moved.
audit.file.typeedit
type: keyword
The file type (file, dir, or symlink).
audit.file.inodeedit
type: keyword
The inode representing the file in the filesystem.
audit.file.uidedit
type: keyword
The user ID (UID) of the file owner.
audit.file.owneredit
type: keyword
The file owner’s username.
audit.file.gidedit
type: keyword
The primary group ID (GID) of the file.
audit.file.groupedit
type: keyword
The primary group name of the file.
audit.file.sidedit
type: keyword
The security identifier (SID) of the file owner (Windows only).
audit.file.modeedit
type: keyword
example: 416
The mode of the file in octal representation.
audit.file.sizeedit
type: long
The file size in bytes.
audit.file.atimeedit
type: date
The last access time of the file.
audit.file.mtimeedit
type: date
The last modified time of the file.
audit.file.ctimeedit
type: date
The creation time of the file.
audit.file.hashededit
type: boolean
Boolean indicating if the event includes file hashes. If true the md5, sha1, and sha256 fields will be present.
audit.file.md5edit
type: keyword
MD5 hash of the file.
audit.file.sha1edit
type: keyword
SHA1 hash of the file.
audit.file.sha256edit
type: keyword
SHA256 hash of the file.
kernel Fieldsedit
The kernel metricset distributes audit events received from the Linux Audit Framework that is a part of the Linux kernel.
audit.kernel.actionedit
type: keyword
example: logged-in
A description of the action taken by the user.
actor Fieldsedit
The actor is the user that triggered the audit event.
attrs Fieldsedit
Attributes of the actor.
audit.kernel.actor.attrs.auidedit
type: keyword
login user ID
audit.kernel.actor.attrs.uidedit
type: keyword
user ID
audit.kernel.actor.attrs.euidedit
type: keyword
effective user ID
audit.kernel.actor.attrs.fsuidedit
type: keyword
file system user ID
audit.kernel.actor.attrs.suidedit
type: keyword
sent user ID
audit.kernel.actor.attrs.gidedit
type: keyword
group ID
audit.kernel.actor.attrs.egidedit
type: keyword
effective group ID
audit.kernel.actor.attrs.sgidedit
type: keyword
set group ID
audit.kernel.actor.attrs.fsgidedit
type: keyword
file system group ID
audit.kernel.actor.primaryedit
type: keyword
The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.
audit.kernel.actor.secondaryedit
type: keyword
The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su
.
selinux Fieldsedit
The SELinux identity of the actor.
audit.kernel.actor.selinux.useredit
type: keyword
account submitted for authentication
audit.kernel.actor.selinux.roleedit
type: keyword
user’s SELinux role
audit.kernel.actor.selinux.domainedit
type: keyword
The actor’s SELinux domain or type.
audit.kernel.actor.selinux.leveledit
type: keyword
example: s0
The actor’s SELinux level.
audit.kernel.actor.selinux.categoryedit
type: keyword
The actor’s SELinux category or compartments.
audit.kernel.categoryedit
type: keyword
example: audit-rule
The event’s category is a value derived from the record_type
.
audit.kernel.sequenceedit
type: long
The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
audit.kernel.sessionedit
type: keyword
The session ID assigned to a login. All events related to a login session will have the same value.
paths Fieldsedit
List of paths associated with the event.
audit.kernel.paths.inodeedit
type: keyword
inode number
audit.kernel.paths.devedit
type: keyword
device name as found in /dev
audit.kernel.paths.obj_useredit
type: keyword
audit.kernel.paths.obj_roleedit
type: keyword
audit.kernel.paths.obj_domainedit
type: keyword
audit.kernel.paths.obj_leveledit
type: keyword
audit.kernel.paths.objtypeedit
type: keyword
audit.kernel.paths.ouidedit
type: keyword
file owner user ID
audit.kernel.paths.rdevedit
type: keyword
the device identifier (special files only)
audit.kernel.paths.nametypeedit
type: keyword
kind of file operation being referenced
audit.kernel.paths.ogidedit
type: keyword
file owner group ID
audit.kernel.paths.itemedit
type: keyword
which item is being recorded
audit.kernel.paths.modeedit
type: keyword
mode flags on a file
audit.kernel.paths.nameedit
type: keyword
file name in avcs
audit.kernel.record_typeedit
type: keyword
The audit record’s type.
socket Fieldsedit
Socket data from sockaddr messages.
audit.kernel.socket.portedit
type: keyword
The port number.
audit.kernel.socket.saddredit
type: keyword
The raw socket address structure.
audit.kernel.socket.addredit
type: keyword
The remote address.
audit.kernel.socket.familyedit
type: keyword
example: unix
The socket family (unix, ipv4, ipv6, netlink).
audit.kernel.socket.pathedit
type: keyword
This is the path associated with a unix socket.
thing Fieldsedit
This is the thing or object being acted upon in the event.
audit.kernel.thing.whatedit
type: keyword
A description of the what the "thing" is (e.g. file, socket, user-session).
audit.kernel.thing.primaryedit
type: keyword
audit.kernel.thing.secondaryedit
type: keyword
selinux Fieldsedit
The SELinux identity of the object.
audit.kernel.thing.selinux.useredit
type: keyword
The owner of the object.
audit.kernel.thing.selinux.roleedit
type: keyword
The object’s SELinux role.
audit.kernel.thing.selinux.domainedit
type: keyword
The object’s SELinux domain or type.
audit.kernel.thing.selinux.leveledit
type: keyword
example: s0
The object’s SELinux level.
audit.kernel.howedit
type: keyword
This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
audit.kernel.keyedit
type: keyword
The key assigned to the audit rule that triggered the event.
audit.kernel.resultedit
type: keyword
example: success or fail
The result of the audited operation (success/fail).
data Fieldsedit
The data from the audit messages.
audit.kernel.data.actionedit
type: keyword
netfilter packet disposition
audit.kernel.data.minoredit
type: keyword
device minor number
audit.kernel.data.acctedit
type: keyword
a user’s account name
audit.kernel.data.addredit
type: keyword
the remote address that the user is connecting from
audit.kernel.data.cipheredit
type: keyword
name of crypto cipher selected
audit.kernel.data.idedit
type: keyword
during account changes
audit.kernel.data.entriesedit
type: keyword
number of entries in the netfilter table
audit.kernel.data.kindedit
type: keyword
server or client in crypto operation
audit.kernel.data.ksizeedit
type: keyword
key size for crypto operation
audit.kernel.data.spidedit
type: keyword
sent process ID
audit.kernel.data.archedit
type: keyword
the elf architecture flags
audit.kernel.data.argcedit
type: keyword
the number of arguments to an execve syscall
audit.kernel.data.majoredit
type: keyword
device major number
audit.kernel.data.unitedit
type: keyword
systemd unit
audit.kernel.data.tableedit
type: keyword
netfilter table name
audit.kernel.data.terminaledit
type: keyword
terminal name the user is running programs on
audit.kernel.data.commedit
type: keyword
command line program name
audit.kernel.data.exeedit
type: keyword
executable name
audit.kernel.data.grantorsedit
type: keyword
pam modules approving the action
audit.kernel.data.pidedit
type: keyword
process ID
audit.kernel.data.directionedit
type: keyword
direction of crypto operation
audit.kernel.data.opedit
type: keyword
the operation being performed that is audited
audit.kernel.data.ttyedit
type: keyword
tty udevice the user is running programs on
audit.kernel.data.proctitleedit
type: keyword
process title and command line parameters
audit.kernel.data.syscalledit
type: keyword
syscall number in effect when the event occurred
audit.kernel.data.dataedit
type: keyword
TTY text
audit.kernel.data.familyedit
type: keyword
netfilter protocol
audit.kernel.data.macedit
type: keyword
crypto MAC algorithm selected
audit.kernel.data.pfsedit
type: keyword
perfect forward secrecy method
audit.kernel.data.itemsedit
type: keyword
the number of path records in the event
audit.kernel.data.a0edit
type: keyword
audit.kernel.data.a1edit
type: keyword
audit.kernel.data.a2edit
type: keyword
audit.kernel.data.a3edit
type: keyword
audit.kernel.data.cwdedit
type: keyword
the current working directory
audit.kernel.data.hostnameedit
type: keyword
the hostname that the user is connecting from
audit.kernel.data.lportedit
type: keyword
local network port
audit.kernel.data.ppidedit
type: keyword
parent process ID
audit.kernel.data.rportedit
type: keyword
remote port number
audit.kernel.data.cmdlineedit
type: keyword
The full command line from the execve message.
audit.kernel.data.exitedit
type: keyword
syscall exit code
audit.kernel.data.fpedit
type: keyword
crypto key finger print
audit.kernel.data.laddredit
type: keyword
local network address
audit.kernel.data.sportedit
type: keyword
local port number
audit.kernel.data.capabilityedit
type: keyword
posix capabilities
audit.kernel.data.nargsedit
type: keyword
the number of arguments to a socket call
audit.kernel.data.new-enablededit
type: keyword
new TTY audit enabled setting
audit.kernel.data.audit_backlog_limitedit
type: keyword
audit system’s backlog queue size
audit.kernel.data.diredit
type: keyword
directory name
audit.kernel.data.cap_peedit
type: keyword
process effective capability map
audit.kernel.data.modeledit
type: keyword
security model being used for virt
audit.kernel.data.new_ppedit
type: keyword
new process permitted capability map
audit.kernel.data.old-enablededit
type: keyword
present TTY audit enabled setting
audit.kernel.data.oauidedit
type: keyword
object’s login user ID
audit.kernel.data.oldedit
type: keyword
old value
audit.kernel.data.bannersedit
type: keyword
banners used on printed page
audit.kernel.data.featureedit
type: keyword
kernel feature being changed
audit.kernel.data.vm-ctxedit
type: keyword
the vm’s context string
audit.kernel.data.opidedit
type: keyword
object’s process ID
audit.kernel.data.sepermsedit
type: keyword
SELinux permissions being used
audit.kernel.data.seresultedit
type: keyword
SELinux AVC decision granted/denied
audit.kernel.data.new-rngedit
type: keyword
device name of rng being added from a vm
audit.kernel.data.old-netedit
type: keyword
present MAC address assigned to vm
audit.kernel.data.sigev_signoedit
type: keyword
signal number
audit.kernel.data.inoedit
type: keyword
inode number
audit.kernel.data.old_enforcingedit
type: keyword
old MAC enforcement status
audit.kernel.data.old-vcpuedit
type: keyword
present number of CPU cores
audit.kernel.data.rangeedit
type: keyword
user’s SE Linux range
audit.kernel.data.resedit
type: keyword
result of the audited operation(success/fail)
audit.kernel.data.addededit
type: keyword
number of new files detected
audit.kernel.data.famedit
type: keyword
socket address family
audit.kernel.data.nlnk-pidedit
type: keyword
pid of netlink packet sender
audit.kernel.data.subjedit
type: keyword
lspp subject’s context string
audit.kernel.data.a[0-3]edit
type: keyword
the arguments to a syscall
audit.kernel.data.cgroupedit
type: keyword
path to cgroup in sysfs
audit.kernel.data.kerneledit
type: keyword
kernel’s version number
audit.kernel.data.ocommedit
type: keyword
object’s command line name
audit.kernel.data.new-netedit
type: keyword
MAC address being assigned to vm
audit.kernel.data.permissiveedit
type: keyword
SELinux is in permissive mode
audit.kernel.data.classedit
type: keyword
resource class assigned to vm
audit.kernel.data.compatedit
type: keyword
is_compat_task result
audit.kernel.data.fiedit
type: keyword
file assigned inherited capability map
audit.kernel.data.changededit
type: keyword
number of changed files
audit.kernel.data.msgedit
type: keyword
the payload of the audit record
audit.kernel.data.dportedit
type: keyword
remote port number
audit.kernel.data.new-seuseredit
type: keyword
new SELinux user
audit.kernel.data.invalid_contextedit
type: keyword
SELinux context
audit.kernel.data.dmacedit
type: keyword
remote MAC address
audit.kernel.data.ipx-netedit
type: keyword
IPX network number
audit.kernel.data.iuidedit
type: keyword
ipc object’s user ID
audit.kernel.data.macprotoedit
type: keyword
ethernet packet type ID field
audit.kernel.data.objedit
type: keyword
lspp object context string
audit.kernel.data.a[[:digit:]+]\[.*\]edit
type: keyword
the arguments to the execve syscall
audit.kernel.data.ipidedit
type: keyword
IP datagram fragment identifier
audit.kernel.data.new-fsedit
type: keyword
file system being added to vm
audit.kernel.data.vm-pidedit
type: keyword
vm’s process ID
audit.kernel.data.cap_piedit
type: keyword
process inherited capability map
audit.kernel.data.old-auidedit
type: keyword
previous auid value
audit.kernel.data.osesedit
type: keyword
object’s session ID
audit.kernel.data.fdedit
type: keyword
file descriptor number
audit.kernel.data.igidedit
type: keyword
ipc object’s group ID
audit.kernel.data.new-diskedit
type: keyword
disk being added to vm
audit.kernel.data.parentedit
type: keyword
the inode number of the parent file
audit.kernel.data.lenedit
type: keyword
length
audit.kernel.data.oflagedit
type: keyword
open syscall flags
audit.kernel.data.uuidedit
type: keyword
a UUID
audit.kernel.data.codeedit
type: keyword
seccomp action code
audit.kernel.data.nlnk-grpedit
type: keyword
netlink group number
audit.kernel.data.cap_fpedit
type: keyword
file permitted capability map
audit.kernel.data.new-memedit
type: keyword
new amount of memory in KB
audit.kernel.data.sepermedit
type: keyword
SELinux permission being decided on
audit.kernel.data.enforcingedit
type: keyword
new MAC enforcement status
audit.kernel.data.new-chardevedit
type: keyword
new character device being assigned to vm
audit.kernel.data.old-rngedit
type: keyword
device name of rng being removed from a vm
audit.kernel.data.outifedit
type: keyword
out interface number
audit.kernel.data.cmdedit
type: keyword
command being executed
audit.kernel.data.hookedit
type: keyword
netfilter hook that packet came from
audit.kernel.data.new-leveledit
type: keyword
new run level
audit.kernel.data.sauidedit
type: keyword
sent login user ID
audit.kernel.data.sigedit
type: keyword
signal number
audit.kernel.data.audit_backlog_wait_timeedit
type: keyword
audit system’s backlog wait time
audit.kernel.data.printeredit
type: keyword
printer name
audit.kernel.data.old-memedit
type: keyword
present amount of memory in KB
audit.kernel.data.permedit
type: keyword
the file permission being used
audit.kernel.data.old_piedit
type: keyword
old process inherited capability map
audit.kernel.data.stateedit
type: keyword
audit daemon configuration resulting state
audit.kernel.data.formatedit
type: keyword
audit log’s format
audit.kernel.data.new_gidedit
type: keyword
new group ID being assigned
audit.kernel.data.tcontextedit
type: keyword
the target’s or object’s context string
audit.kernel.data.majedit
type: keyword
device major number
audit.kernel.data.watchedit
type: keyword
file name in a watch record
audit.kernel.data.deviceedit
type: keyword
device name
audit.kernel.data.grpedit
type: keyword
group name
audit.kernel.data.booledit
type: keyword
name of SELinux boolean
audit.kernel.data.icmp_typeedit
type: keyword
type of icmp message
audit.kernel.data.new_lockedit
type: keyword
new value of feature lock
audit.kernel.data.old_promedit
type: keyword
network promiscuity flag
audit.kernel.data.acledit
type: keyword
access mode of resource assigned to vm
audit.kernel.data.ipedit
type: keyword
network address of a printer
audit.kernel.data.new_piedit
type: keyword
new process inherited capability map
audit.kernel.data.default-contextedit
type: keyword
default MAC context
audit.kernel.data.inode_gidedit
type: keyword
group ID of the inode’s owner
audit.kernel.data.new-log_passwdedit
type: keyword
new value for TTY password logging
audit.kernel.data.new_peedit
type: keyword
new process effective capability map
audit.kernel.data.selected-contextedit
type: keyword
new MAC context assigned to session
audit.kernel.data.cap_fveredit
type: keyword
file system capabilities version number
audit.kernel.data.fileedit
type: keyword
file name
audit.kernel.data.netedit
type: keyword
network MAC address
audit.kernel.data.virtedit
type: keyword
kind of virtualization being referenced
audit.kernel.data.cap_ppedit
type: keyword
process permitted capability map
audit.kernel.data.old-rangeedit
type: keyword
present SELinux range
audit.kernel.data.resrcedit
type: keyword
resource being assigned
audit.kernel.data.new-rangeedit
type: keyword
new SELinux range
audit.kernel.data.obj_gidedit
type: keyword
group ID of object
audit.kernel.data.protoedit
type: keyword
network protocol
audit.kernel.data.old-diskedit
type: keyword
disk being removed from vm
audit.kernel.data.audit_failureedit
type: keyword
audit system’s failure mode
audit.kernel.data.inifedit
type: keyword
in interface number
audit.kernel.data.vmedit
type: keyword
virtual machine name
audit.kernel.data.flagsedit
type: keyword
mmap syscall flags
audit.kernel.data.nlnk-famedit
type: keyword
netlink protocol number
audit.kernel.data.old-fsedit
type: keyword
file system being removed from vm
audit.kernel.data.old-sesedit
type: keyword
previous ses value
audit.kernel.data.seqnoedit
type: keyword
sequence number
audit.kernel.data.fveredit
type: keyword
file system capabilities version number
audit.kernel.data.qbytesedit
type: keyword
ipc objects quantity of bytes
audit.kernel.data.seuseredit
type: keyword
user’s SE Linux user acct
audit.kernel.data.cap_feedit
type: keyword
file assigned effective capability map
audit.kernel.data.new-vcpuedit
type: keyword
new number of CPU cores
audit.kernel.data.old-leveledit
type: keyword
old run level
audit.kernel.data.old_ppedit
type: keyword
old process permitted capability map
audit.kernel.data.daddredit
type: keyword
remote IP address
audit.kernel.data.old-roleedit
type: keyword
present SELinux role
audit.kernel.data.ioctlcmdedit
type: keyword
The request argument to the ioctl syscall
audit.kernel.data.smacedit
type: keyword
local MAC address
audit.kernel.data.apparmoredit
type: keyword
apparmor event information
audit.kernel.data.feedit
type: keyword
file assigned effective capability map
audit.kernel.data.perm_maskedit
type: keyword
file permission mask that triggered a watch event
audit.kernel.data.sesedit
type: keyword
login session ID
audit.kernel.data.cap_fiedit
type: keyword
file inherited capability map
audit.kernel.data.obj_uidedit
type: keyword
user ID of object
audit.kernel.data.reasonedit
type: keyword
text string denoting a reason for the action
audit.kernel.data.listedit
type: keyword
the audit system’s filter list number
audit.kernel.data.old_lockedit
type: keyword
present value of feature lock
audit.kernel.data.busedit
type: keyword
name of subsystem bus a vm resource belongs to
audit.kernel.data.old_peedit
type: keyword
old process effective capability map
audit.kernel.data.new-roleedit
type: keyword
new SELinux role
audit.kernel.data.promedit
type: keyword
network promiscuity flag
audit.kernel.data.uriedit
type: keyword
URI pointing to a printer
audit.kernel.data.audit_enablededit
type: keyword
audit systems’s enable/disable status
audit.kernel.data.old-log_passwdedit
type: keyword
present value for TTY password logging
audit.kernel.data.old-seuseredit
type: keyword
present SELinux user
audit.kernel.data.peredit
type: keyword
linux personality
audit.kernel.data.scontextedit
type: keyword
the subject’s context string
audit.kernel.data.tclassedit
type: keyword
target’s object classification
audit.kernel.data.veredit
type: keyword
audit daemon’s version number
audit.kernel.data.newedit
type: keyword
value being set in feature
audit.kernel.data.valedit
type: keyword
generic value associated with the operation
audit.kernel.data.img-ctxedit
type: keyword
the vm’s disk image context string
audit.kernel.data.old-chardevedit
type: keyword
present character device assigned to vm
audit.kernel.data.old_valedit
type: keyword
current value of SELinux boolean
audit.kernel.data.successedit
type: keyword
whether the syscall was successful or not
audit.kernel.data.inode_uidedit
type: keyword
user ID of the inode’s owner
audit.kernel.data.removededit
type: keyword
number of deleted files
audit.kernel.messagesedit
type: text
An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if kernel.include_raw_message
is set in the config.
audit.kernel.warningsedit
type: keyword
The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
geoip Fieldsedit
Contains GeoIP information gathered based on the os_events.audit.addr
field. Only present if the GeoIP Elasticsearch plugin is available and used.
audit.kernel.geoip.continent_nameedit
type: keyword
The name of the continent.
audit.kernel.geoip.city_nameedit
type: keyword
The name of the city.
audit.kernel.geoip.region_nameedit
type: keyword
The name of the region.
audit.kernel.geoip.country_iso_codeedit
type: keyword
Country ISO code.
audit.kernel.geoip.locationedit
type: geo_point
The longitude and latitude.