WARNING: Version 6.2 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Auditd fieldsedit
These are the fields generated by the auditd module.
event.category
edit
type: keyword
example: audit-rule
The event’s category is a value derived from the record_type
.
event.type
edit
type: keyword
The audit record’s type.
user.auid
edit
type: keyword
login user ID
user.uid
edit
type: keyword
user ID
user.euid
edit
type: keyword
effective user ID
user.fsuid
edit
type: keyword
file system user ID
user.suid
edit
type: keyword
sent user ID
user.gid
edit
type: keyword
group ID
user.egid
edit
type: keyword
effective group ID
user.sgid
edit
type: keyword
set group ID
user.fsgid
edit
type: keyword
file system group ID
name_map fieldsedit
If resolve_ids
is set to true in the configuration then name_map
will contain a mapping of uid field names to the resolved name (e.g. auid → root).
user.name_map.auid
edit
type: keyword
login user name
user.name_map.uid
edit
type: keyword
user name
user.name_map.euid
edit
type: keyword
effective user name
user.name_map.fsuid
edit
type: keyword
file system user name
user.name_map.suid
edit
type: keyword
sent user name
user.name_map.gid
edit
type: keyword
group name
user.name_map.egid
edit
type: keyword
effective group name
user.name_map.sgid
edit
type: keyword
set group name
user.name_map.fsgid
edit
type: keyword
file system group name
selinux fieldsedit
The SELinux identity of the actor.
user.selinux.user
edit
type: keyword
account submitted for authentication
user.selinux.role
edit
type: keyword
user’s SELinux role
user.selinux.domain
edit
type: keyword
The actor’s SELinux domain or type.
user.selinux.level
edit
type: keyword
example: s0
The actor’s SELinux level.
user.selinux.category
edit
type: keyword
The actor’s SELinux category or compartments.
process fieldsedit
Process attributes.
process.pid
edit
type: keyword
Process ID.
process.ppid
edit
type: keyword
Parent process ID.
process.name
edit
type: keyword
Process name (comm).
process.title
edit
type: keyword
Process title or command line parameters (proctitle).
process.exe
edit
type: keyword
Absolute path of the executable.
process.cwd
edit
type: keyword
The current working directory.
process.args
edit
type: keyword
The process arguments as a list.
source fieldsedit
Source that triggered the event.
source.ip
edit
type: ip
The remote address.
source.port
edit
type: keyword
The port number.
source.hostname
edit
type: keyword
Hostname of the source.
source.path
edit
type: keyword
This is the path associated with a unix socket.
destination fieldsedit
Destination address that triggered the event.
destination.ip
edit
type: ip
The remote address.
destination.port
edit
type: keyword
The port number.
destination.hostname
edit
type: keyword
Hostname of the source.
destination.path
edit
type: keyword
This is the path associated with a unix socket.
network.direction
edit
type: keyword
Direction of the network traffic (incoming
or outgoing
).
auditd.sequence
edit
type: long
The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
auditd.session
edit
type: keyword
The session ID assigned to a login. All events related to a login session will have the same value.
auditd.result
edit
type: keyword
example: success or fail
The result of the audited operation (success/fail).
actor fieldsedit
The actor is the user that triggered the audit event.
auditd.summary.actor.primary
edit
type: keyword
The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.
auditd.summary.actor.secondary
edit
type: keyword
The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su
.
object fieldsedit
This is the thing or object being acted upon in the event.
auditd.summary.object.type
edit
type: keyword
A description of the what the "thing" is (e.g. file, socket, user-session).
auditd.summary.object.primary
edit
type: keyword
auditd.summary.object.secondary
edit
type: keyword
auditd.summary.how
edit
type: keyword
This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
paths fieldsedit
List of paths associated with the event.
auditd.paths.inode
edit
type: keyword
inode number
auditd.paths.dev
edit
type: keyword
device name as found in /dev
auditd.paths.obj_user
edit
type: keyword
auditd.paths.obj_role
edit
type: keyword
auditd.paths.obj_domain
edit
type: keyword
auditd.paths.obj_level
edit
type: keyword
auditd.paths.objtype
edit
type: keyword
auditd.paths.ouid
edit
type: keyword
file owner user ID
auditd.paths.rdev
edit
type: keyword
the device identifier (special files only)
auditd.paths.nametype
edit
type: keyword
kind of file operation being referenced
auditd.paths.ogid
edit
type: keyword
file owner group ID
auditd.paths.item
edit
type: keyword
which item is being recorded
auditd.paths.mode
edit
type: keyword
mode flags on a file
auditd.paths.name
edit
type: keyword
file name in avcs
data fieldsedit
The data from the audit messages.
auditd.data.action
edit
type: keyword
netfilter packet disposition
auditd.data.minor
edit
type: keyword
device minor number
auditd.data.acct
edit
type: keyword
a user’s account name
auditd.data.addr
edit
type: keyword
the remote address that the user is connecting from
auditd.data.cipher
edit
type: keyword
name of crypto cipher selected
auditd.data.id
edit
type: keyword
during account changes
auditd.data.entries
edit
type: keyword
number of entries in the netfilter table
auditd.data.kind
edit
type: keyword
server or client in crypto operation
auditd.data.ksize
edit
type: keyword
key size for crypto operation
auditd.data.spid
edit
type: keyword
sent process ID
auditd.data.arch
edit
type: keyword
the elf architecture flags
auditd.data.argc
edit
type: keyword
the number of arguments to an execve syscall
auditd.data.major
edit
type: keyword
device major number
auditd.data.unit
edit
type: keyword
systemd unit
auditd.data.table
edit
type: keyword
netfilter table name
auditd.data.terminal
edit
type: keyword
terminal name the user is running programs on
auditd.data.grantors
edit
type: keyword
pam modules approving the action
auditd.data.direction
edit
type: keyword
direction of crypto operation
auditd.data.op
edit
type: keyword
the operation being performed that is audited
auditd.data.tty
edit
type: keyword
tty udevice the user is running programs on
auditd.data.syscall
edit
type: keyword
syscall number in effect when the event occurred
auditd.data.data
edit
type: keyword
TTY text
auditd.data.family
edit
type: keyword
netfilter protocol
auditd.data.mac
edit
type: keyword
crypto MAC algorithm selected
auditd.data.pfs
edit
type: keyword
perfect forward secrecy method
auditd.data.items
edit
type: keyword
the number of path records in the event
auditd.data.a0
edit
type: keyword
auditd.data.a1
edit
type: keyword
auditd.data.a2
edit
type: keyword
auditd.data.a3
edit
type: keyword
auditd.data.hostname
edit
type: keyword
the hostname that the user is connecting from
auditd.data.lport
edit
type: keyword
local network port
auditd.data.rport
edit
type: keyword
remote port number
auditd.data.exit
edit
type: keyword
syscall exit code
auditd.data.fp
edit
type: keyword
crypto key finger print
auditd.data.laddr
edit
type: keyword
local network address
auditd.data.sport
edit
type: keyword
local port number
auditd.data.capability
edit
type: keyword
posix capabilities
auditd.data.nargs
edit
type: keyword
the number of arguments to a socket call
auditd.data.new-enabled
edit
type: keyword
new TTY audit enabled setting
auditd.data.audit_backlog_limit
edit
type: keyword
audit system’s backlog queue size
auditd.data.dir
edit
type: keyword
directory name
auditd.data.cap_pe
edit
type: keyword
process effective capability map
auditd.data.model
edit
type: keyword
security model being used for virt
auditd.data.new_pp
edit
type: keyword
new process permitted capability map
auditd.data.old-enabled
edit
type: keyword
present TTY audit enabled setting
auditd.data.oauid
edit
type: keyword
object’s login user ID
auditd.data.old
edit
type: keyword
old value
auditd.data.banners
edit
type: keyword
banners used on printed page
auditd.data.feature
edit
type: keyword
kernel feature being changed
auditd.data.vm-ctx
edit
type: keyword
the vm’s context string
auditd.data.opid
edit
type: keyword
object’s process ID
auditd.data.seperms
edit
type: keyword
SELinux permissions being used
auditd.data.seresult
edit
type: keyword
SELinux AVC decision granted/denied
auditd.data.new-rng
edit
type: keyword
device name of rng being added from a vm
auditd.data.old-net
edit
type: keyword
present MAC address assigned to vm
auditd.data.sigev_signo
edit
type: keyword
signal number
auditd.data.ino
edit
type: keyword
inode number
auditd.data.old_enforcing
edit
type: keyword
old MAC enforcement status
auditd.data.old-vcpu
edit
type: keyword
present number of CPU cores
auditd.data.range
edit
type: keyword
user’s SE Linux range
auditd.data.res
edit
type: keyword
result of the audited operation(success/fail)
auditd.data.added
edit
type: keyword
number of new files detected
auditd.data.fam
edit
type: keyword
socket address family
auditd.data.nlnk-pid
edit
type: keyword
pid of netlink packet sender
auditd.data.subj
edit
type: keyword
lspp subject’s context string
auditd.data.a[0-3]
edit
type: keyword
the arguments to a syscall
auditd.data.cgroup
edit
type: keyword
path to cgroup in sysfs
auditd.data.kernel
edit
type: keyword
kernel’s version number
auditd.data.ocomm
edit
type: keyword
object’s command line name
auditd.data.new-net
edit
type: keyword
MAC address being assigned to vm
auditd.data.permissive
edit
type: keyword
SELinux is in permissive mode
auditd.data.class
edit
type: keyword
resource class assigned to vm
auditd.data.compat
edit
type: keyword
is_compat_task result
auditd.data.fi
edit
type: keyword
file assigned inherited capability map
auditd.data.changed
edit
type: keyword
number of changed files
auditd.data.msg
edit
type: keyword
the payload of the audit record
auditd.data.dport
edit
type: keyword
remote port number
auditd.data.new-seuser
edit
type: keyword
new SELinux user
auditd.data.invalid_context
edit
type: keyword
SELinux context
auditd.data.dmac
edit
type: keyword
remote MAC address
auditd.data.ipx-net
edit
type: keyword
IPX network number
auditd.data.iuid
edit
type: keyword
ipc object’s user ID
auditd.data.macproto
edit
type: keyword
ethernet packet type ID field
auditd.data.obj
edit
type: keyword
lspp object context string
auditd.data.ipid
edit
type: keyword
IP datagram fragment identifier
auditd.data.new-fs
edit
type: keyword
file system being added to vm
auditd.data.vm-pid
edit
type: keyword
vm’s process ID
auditd.data.cap_pi
edit
type: keyword
process inherited capability map
auditd.data.old-auid
edit
type: keyword
previous auid value
auditd.data.oses
edit
type: keyword
object’s session ID
auditd.data.fd
edit
type: keyword
file descriptor number
auditd.data.igid
edit
type: keyword
ipc object’s group ID
auditd.data.new-disk
edit
type: keyword
disk being added to vm
auditd.data.parent
edit
type: keyword
the inode number of the parent file
auditd.data.len
edit
type: keyword
length
auditd.data.oflag
edit
type: keyword
open syscall flags
auditd.data.uuid
edit
type: keyword
a UUID
auditd.data.code
edit
type: keyword
seccomp action code
auditd.data.nlnk-grp
edit
type: keyword
netlink group number
auditd.data.cap_fp
edit
type: keyword
file permitted capability map
auditd.data.new-mem
edit
type: keyword
new amount of memory in KB
auditd.data.seperm
edit
type: keyword
SELinux permission being decided on
auditd.data.enforcing
edit
type: keyword
new MAC enforcement status
auditd.data.new-chardev
edit
type: keyword
new character device being assigned to vm
auditd.data.old-rng
edit
type: keyword
device name of rng being removed from a vm
auditd.data.outif
edit
type: keyword
out interface number
auditd.data.cmd
edit
type: keyword
command being executed
auditd.data.hook
edit
type: keyword
netfilter hook that packet came from
auditd.data.new-level
edit
type: keyword
new run level
auditd.data.sauid
edit
type: keyword
sent login user ID
auditd.data.sig
edit
type: keyword
signal number
auditd.data.audit_backlog_wait_time
edit
type: keyword
audit system’s backlog wait time
auditd.data.printer
edit
type: keyword
printer name
auditd.data.old-mem
edit
type: keyword
present amount of memory in KB
auditd.data.perm
edit
type: keyword
the file permission being used
auditd.data.old_pi
edit
type: keyword
old process inherited capability map
auditd.data.state
edit
type: keyword
audit daemon configuration resulting state
auditd.data.format
edit
type: keyword
audit log’s format
auditd.data.new_gid
edit
type: keyword
new group ID being assigned
auditd.data.tcontext
edit
type: keyword
the target’s or object’s context string
auditd.data.maj
edit
type: keyword
device major number
auditd.data.watch
edit
type: keyword
file name in a watch record
auditd.data.device
edit
type: keyword
device name
auditd.data.grp
edit
type: keyword
group name
auditd.data.bool
edit
type: keyword
name of SELinux boolean
auditd.data.icmp_type
edit
type: keyword
type of icmp message
auditd.data.new_lock
edit
type: keyword
new value of feature lock
auditd.data.old_prom
edit
type: keyword
network promiscuity flag
auditd.data.acl
edit
type: keyword
access mode of resource assigned to vm
auditd.data.ip
edit
type: keyword
network address of a printer
auditd.data.new_pi
edit
type: keyword
new process inherited capability map
auditd.data.default-context
edit
type: keyword
default MAC context
auditd.data.inode_gid
edit
type: keyword
group ID of the inode’s owner
auditd.data.new-log_passwd
edit
type: keyword
new value for TTY password logging
auditd.data.new_pe
edit
type: keyword
new process effective capability map
auditd.data.selected-context
edit
type: keyword
new MAC context assigned to session
auditd.data.cap_fver
edit
type: keyword
file system capabilities version number
auditd.data.file
edit
type: keyword
file name
auditd.data.net
edit
type: keyword
network MAC address
auditd.data.virt
edit
type: keyword
kind of virtualization being referenced
auditd.data.cap_pp
edit
type: keyword
process permitted capability map
auditd.data.old-range
edit
type: keyword
present SELinux range
auditd.data.resrc
edit
type: keyword
resource being assigned
auditd.data.new-range
edit
type: keyword
new SELinux range
auditd.data.obj_gid
edit
type: keyword
group ID of object
auditd.data.proto
edit
type: keyword
network protocol
auditd.data.old-disk
edit
type: keyword
disk being removed from vm
auditd.data.audit_failure
edit
type: keyword
audit system’s failure mode
auditd.data.inif
edit
type: keyword
in interface number
auditd.data.vm
edit
type: keyword
virtual machine name
auditd.data.flags
edit
type: keyword
mmap syscall flags
auditd.data.nlnk-fam
edit
type: keyword
netlink protocol number
auditd.data.old-fs
edit
type: keyword
file system being removed from vm
auditd.data.old-ses
edit
type: keyword
previous ses value
auditd.data.seqno
edit
type: keyword
sequence number
auditd.data.fver
edit
type: keyword
file system capabilities version number
auditd.data.qbytes
edit
type: keyword
ipc objects quantity of bytes
auditd.data.seuser
edit
type: keyword
user’s SE Linux user acct
auditd.data.cap_fe
edit
type: keyword
file assigned effective capability map
auditd.data.new-vcpu
edit
type: keyword
new number of CPU cores
auditd.data.old-level
edit
type: keyword
old run level
auditd.data.old_pp
edit
type: keyword
old process permitted capability map
auditd.data.daddr
edit
type: keyword
remote IP address
auditd.data.old-role
edit
type: keyword
present SELinux role
auditd.data.ioctlcmd
edit
type: keyword
The request argument to the ioctl syscall
auditd.data.smac
edit
type: keyword
local MAC address
auditd.data.apparmor
edit
type: keyword
apparmor event information
auditd.data.fe
edit
type: keyword
file assigned effective capability map
auditd.data.perm_mask
edit
type: keyword
file permission mask that triggered a watch event
auditd.data.ses
edit
type: keyword
login session ID
auditd.data.cap_fi
edit
type: keyword
file inherited capability map
auditd.data.obj_uid
edit
type: keyword
user ID of object
auditd.data.reason
edit
type: keyword
text string denoting a reason for the action
auditd.data.list
edit
type: keyword
the audit system’s filter list number
auditd.data.old_lock
edit
type: keyword
present value of feature lock
auditd.data.bus
edit
type: keyword
name of subsystem bus a vm resource belongs to
auditd.data.old_pe
edit
type: keyword
old process effective capability map
auditd.data.new-role
edit
type: keyword
new SELinux role
auditd.data.prom
edit
type: keyword
network promiscuity flag
auditd.data.uri
edit
type: keyword
URI pointing to a printer
auditd.data.audit_enabled
edit
type: keyword
audit systems’s enable/disable status
auditd.data.old-log_passwd
edit
type: keyword
present value for TTY password logging
auditd.data.old-seuser
edit
type: keyword
present SELinux user
auditd.data.per
edit
type: keyword
linux personality
auditd.data.scontext
edit
type: keyword
the subject’s context string
auditd.data.tclass
edit
type: keyword
target’s object classification
auditd.data.ver
edit
type: keyword
audit daemon’s version number
auditd.data.new
edit
type: keyword
value being set in feature
auditd.data.val
edit
type: keyword
generic value associated with the operation
auditd.data.img-ctx
edit
type: keyword
the vm’s disk image context string
auditd.data.old-chardev
edit
type: keyword
present character device assigned to vm
auditd.data.old_val
edit
type: keyword
current value of SELinux boolean
auditd.data.success
edit
type: keyword
whether the syscall was successful or not
auditd.data.inode_uid
edit
type: keyword
user ID of the inode’s owner
auditd.data.removed
edit
type: keyword
number of deleted files
auditd.data.socket.port
edit
type: keyword
The port number.
auditd.data.socket.saddr
edit
type: keyword
The raw socket address structure.
auditd.data.socket.addr
edit
type: keyword
The remote address.
auditd.data.socket.family
edit
type: keyword
example: unix
The socket family (unix, ipv4, ipv6, netlink).
auditd.data.socket.path
edit
type: keyword
This is the path associated with a unix socket.
auditd.messages
edit
type: text
An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if include_raw_message
is set in the config.
auditd.warnings
edit
type: keyword
The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
geoip fieldsedit
The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.
geoip.continent_name
edit
type: keyword
The name of the continent.
geoip.city_name
edit
type: keyword
The name of the city.
geoip.region_name
edit
type: keyword
The name of the region.
geoip.country_iso_code
edit
type: keyword
Country ISO code.
geoip.location
edit
type: geo_point
The longitude and latitude.