Audit Fields

The audit module reports security-relevant information based on data captured from the operating system (OS) or services running on the OS.

audit Fields

file Fields

The file metricset generates events when a file changes on disk.

audit.file.path

type: keyword

The path to the file.

audit.file.target_path

type: keyword

The target path for symlinks.

audit.file.action

type: keyword

example: attributes_modified

Action describes the change to the file. The possible values are: attributes_modified, created, deleted, updated, and moved.

audit.file.type

type: keyword

The file type (file, dir, or symlink).

audit.file.inode

type: keyword

The inode representing the file in the filesystem.

audit.file.uid

type: keyword

The user ID (UID) of the file owner.

audit.file.owner

type: keyword

The file owner’s username.

audit.file.gid

type: keyword

The primary group ID (GID) of the file.

audit.file.group

type: keyword

The primary group name of the file.

audit.file.sid

type: keyword

The security identifier (SID) of the file owner (Windows only).

audit.file.mode

type: keyword

example: 416

The mode of the file in octal representation.

audit.file.size

type: long

The file size in bytes.

audit.file.atime

type: date

The last access time of the file.

audit.file.mtime

type: date

The last modified time of the file.

audit.file.ctime

type: date

The creation time of the file.

audit.file.hashed

type: boolean

Boolean indicating if the event includes file hashes. If true the md5, sha1, and sha256 fields will be present.

audit.file.md5

type: keyword

MD5 hash of the file.

audit.file.sha1

type: keyword

SHA1 hash of the file.

audit.file.sha256

type: keyword

SHA256 hash of the file.

kernel Fields

The kernel metricset distributes audit events received from the Linux Audit Framework that is a part of the Linux kernel.

audit.kernel.action

type: keyword

example: logged-in

A description of the action taken by the user.

actor Fields

The actor is the user that triggered the audit event.

attrs Fields

Attributes of the actor.

audit.kernel.actor.attrs.auid

type: keyword

login user ID

audit.kernel.actor.attrs.uid

type: keyword

user ID

audit.kernel.actor.attrs.euid

type: keyword

effective user ID

audit.kernel.actor.attrs.fsuid

type: keyword

file system user ID

audit.kernel.actor.attrs.suid

type: keyword

sent user ID

audit.kernel.actor.attrs.gid

type: keyword

group ID

audit.kernel.actor.attrs.egid

type: keyword

effective group ID

audit.kernel.actor.attrs.sgid

type: keyword

set group ID

audit.kernel.actor.attrs.fsgid

type: keyword

file system group ID

audit.kernel.actor.primary

type: keyword

The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.

audit.kernel.actor.secondary

type: keyword

The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su.

selinux Fields

The SELinux identity of the actor.

audit.kernel.actor.selinux.user

type: keyword

account submitted for authentication

audit.kernel.actor.selinux.role

type: keyword

user’s SELinux role

audit.kernel.actor.selinux.domain

type: keyword

The actor’s SELinux domain or type.

audit.kernel.actor.selinux.level

type: keyword

example: s0

The actor’s SELinux level.

audit.kernel.actor.selinux.category

type: keyword

The actor’s SELinux category or compartments.

audit.kernel.category

type: keyword

example: audit-rule

The event’s category is a value derived from the record_type.

audit.kernel.sequence

type: long

The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.

audit.kernel.session

type: keyword

The session ID assigned to a login. All events related to a login session will have the same value.

paths Fields

List of paths associated with the event.

audit.kernel.paths.inode

type: keyword

inode number

audit.kernel.paths.dev

type: keyword

device name as found in /dev

audit.kernel.paths.obj_user

type: keyword

audit.kernel.paths.obj_role

type: keyword

audit.kernel.paths.obj_domain

type: keyword

audit.kernel.paths.obj_level

type: keyword

audit.kernel.paths.objtype

type: keyword

audit.kernel.paths.ouid

type: keyword

file owner user ID

audit.kernel.paths.rdev

type: keyword

the device identifier (special files only)

audit.kernel.paths.nametype

type: keyword

kind of file operation being referenced

audit.kernel.paths.ogid

type: keyword

file owner group ID

audit.kernel.paths.item

type: keyword

which item is being recorded

audit.kernel.paths.mode

type: keyword

mode flags on a file

audit.kernel.paths.name

type: keyword

file name in avcs

audit.kernel.record_type

type: keyword

The audit record’s type.

socket Fields

Socket data from sockaddr messages.

audit.kernel.socket.port

type: keyword

The port number.

audit.kernel.socket.saddr

type: keyword

The raw socket address structure.

audit.kernel.socket.addr

type: keyword

The remote address.

audit.kernel.socket.family

type: keyword

example: unix

The socket family (unix, ipv4, ipv6, netlink).

audit.kernel.socket.path

type: keyword

This is the path associated with a unix socket.

thing Fields

This is the thing or object being acted upon in the event.

audit.kernel.thing.what

type: keyword

A description of the what the "thing" is (e.g. file, socket, user-session).

audit.kernel.thing.primary

type: keyword

audit.kernel.thing.secondary

type: keyword

selinux Fields

The SELinux identity of the object.

audit.kernel.thing.selinux.user

type: keyword

The owner of the object.

audit.kernel.thing.selinux.role

type: keyword

The object’s SELinux role.

audit.kernel.thing.selinux.domain

type: keyword

The object’s SELinux domain or type.

audit.kernel.thing.selinux.level

type: keyword

example: s0

The object’s SELinux level.

audit.kernel.how

type: keyword

This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.

audit.kernel.key

type: keyword

The key assigned to the audit rule that triggered the event.

audit.kernel.result

type: keyword

example: success or fail

The result of the audited operation (success/fail).

data Fields

The data from the audit messages.

audit.kernel.data.action

type: keyword

netfilter packet disposition

audit.kernel.data.minor

type: keyword

device minor number

audit.kernel.data.acct

type: keyword

a user’s account name

audit.kernel.data.addr

type: keyword

the remote address that the user is connecting from

audit.kernel.data.cipher

type: keyword

name of crypto cipher selected

audit.kernel.data.id

type: keyword

during account changes

audit.kernel.data.entries

type: keyword

number of entries in the netfilter table

audit.kernel.data.kind

type: keyword

server or client in crypto operation

audit.kernel.data.ksize

type: keyword

key size for crypto operation

audit.kernel.data.spid

type: keyword

sent process ID

audit.kernel.data.arch

type: keyword

the elf architecture flags

audit.kernel.data.argc

type: keyword

the number of arguments to an execve syscall

audit.kernel.data.major

type: keyword

device major number

audit.kernel.data.unit

type: keyword

systemd unit

audit.kernel.data.table

type: keyword

netfilter table name

audit.kernel.data.terminal

type: keyword

terminal name the user is running programs on

audit.kernel.data.comm

type: keyword

command line program name

audit.kernel.data.exe

type: keyword

executable name

audit.kernel.data.grantors

type: keyword

pam modules approving the action

audit.kernel.data.pid

type: keyword

process ID

audit.kernel.data.direction

type: keyword

direction of crypto operation

audit.kernel.data.op

type: keyword

the operation being performed that is audited

audit.kernel.data.tty

type: keyword

tty udevice the user is running programs on

audit.kernel.data.proctitle

type: keyword

process title and command line parameters

audit.kernel.data.syscall

type: keyword

syscall number in effect when the event occurred

audit.kernel.data.data

type: keyword

TTY text

audit.kernel.data.family

type: keyword

netfilter protocol

audit.kernel.data.mac

type: keyword

crypto MAC algorithm selected

audit.kernel.data.pfs

type: keyword

perfect forward secrecy method

audit.kernel.data.items

type: keyword

the number of path records in the event

audit.kernel.data.a0

type: keyword

audit.kernel.data.a1

type: keyword

audit.kernel.data.a2

type: keyword

audit.kernel.data.a3

type: keyword

audit.kernel.data.cwd

type: keyword

the current working directory

audit.kernel.data.hostname

type: keyword

the hostname that the user is connecting from

audit.kernel.data.lport

type: keyword

local network port

audit.kernel.data.ppid

type: keyword

parent process ID

audit.kernel.data.rport

type: keyword

remote port number

audit.kernel.data.cmdline

type: keyword

The full command line from the execve message.

audit.kernel.data.exit

type: keyword

syscall exit code

audit.kernel.data.fp

type: keyword

crypto key finger print

audit.kernel.data.laddr

type: keyword

local network address

audit.kernel.data.sport

type: keyword

local port number

audit.kernel.data.capability

type: keyword

posix capabilities

audit.kernel.data.nargs

type: keyword

the number of arguments to a socket call

audit.kernel.data.new-enabled

type: keyword

new TTY audit enabled setting

audit.kernel.data.audit_backlog_limit

type: keyword

audit system’s backlog queue size

audit.kernel.data.dir

type: keyword

directory name

audit.kernel.data.cap_pe

type: keyword

process effective capability map

audit.kernel.data.model

type: keyword

security model being used for virt

audit.kernel.data.new_pp

type: keyword

new process permitted capability map

audit.kernel.data.old-enabled

type: keyword

present TTY audit enabled setting

audit.kernel.data.oauid

type: keyword

object’s login user ID

audit.kernel.data.old

type: keyword

old value

audit.kernel.data.banners

type: keyword

banners used on printed page

audit.kernel.data.feature

type: keyword

kernel feature being changed

audit.kernel.data.vm-ctx

type: keyword

the vm’s context string

audit.kernel.data.opid

type: keyword

object’s process ID

audit.kernel.data.seperms

type: keyword

SELinux permissions being used

audit.kernel.data.seresult

type: keyword

SELinux AVC decision granted/denied

audit.kernel.data.new-rng

type: keyword

device name of rng being added from a vm

audit.kernel.data.old-net

type: keyword

present MAC address assigned to vm

audit.kernel.data.sigev_signo

type: keyword

signal number

audit.kernel.data.ino

type: keyword

inode number

audit.kernel.data.old_enforcing

type: keyword

old MAC enforcement status

audit.kernel.data.old-vcpu

type: keyword

present number of CPU cores

audit.kernel.data.range

type: keyword

user’s SE Linux range

audit.kernel.data.res

type: keyword

result of the audited operation(success/fail)

audit.kernel.data.added

type: keyword

number of new files detected

audit.kernel.data.fam

type: keyword

socket address family

audit.kernel.data.nlnk-pid

type: keyword

pid of netlink packet sender

audit.kernel.data.subj

type: keyword

lspp subject’s context string

audit.kernel.data.a[0-3]

type: keyword

the arguments to a syscall

audit.kernel.data.cgroup

type: keyword

path to cgroup in sysfs

audit.kernel.data.kernel

type: keyword

kernel’s version number

audit.kernel.data.ocomm

type: keyword

object’s command line name

audit.kernel.data.new-net

type: keyword

MAC address being assigned to vm

audit.kernel.data.permissive

type: keyword

SELinux is in permissive mode

audit.kernel.data.class

type: keyword

resource class assigned to vm

audit.kernel.data.compat

type: keyword

is_compat_task result

audit.kernel.data.fi

type: keyword

file assigned inherited capability map

audit.kernel.data.changed

type: keyword

number of changed files

audit.kernel.data.msg

type: keyword

the payload of the audit record

audit.kernel.data.dport

type: keyword

remote port number

audit.kernel.data.new-seuser

type: keyword

new SELinux user

audit.kernel.data.invalid_context

type: keyword

SELinux context

audit.kernel.data.dmac

type: keyword

remote MAC address

audit.kernel.data.ipx-net

type: keyword

IPX network number

audit.kernel.data.iuid

type: keyword

ipc object’s user ID

audit.kernel.data.macproto

type: keyword

ethernet packet type ID field

audit.kernel.data.obj

type: keyword

lspp object context string

audit.kernel.data.a[[:digit:]+]\[.*\]

type: keyword

the arguments to the execve syscall

audit.kernel.data.ipid

type: keyword

IP datagram fragment identifier

audit.kernel.data.new-fs

type: keyword

file system being added to vm

audit.kernel.data.vm-pid

type: keyword

vm’s process ID

audit.kernel.data.cap_pi

type: keyword

process inherited capability map

audit.kernel.data.old-auid

type: keyword

previous auid value

audit.kernel.data.oses

type: keyword

object’s session ID

audit.kernel.data.fd

type: keyword

file descriptor number

audit.kernel.data.igid

type: keyword

ipc object’s group ID

audit.kernel.data.new-disk

type: keyword

disk being added to vm

audit.kernel.data.parent

type: keyword

the inode number of the parent file

audit.kernel.data.len

type: keyword

length

audit.kernel.data.oflag

type: keyword

open syscall flags

audit.kernel.data.uuid

type: keyword

a UUID

audit.kernel.data.code

type: keyword

seccomp action code

audit.kernel.data.nlnk-grp

type: keyword

netlink group number

audit.kernel.data.cap_fp

type: keyword

file permitted capability map

audit.kernel.data.new-mem

type: keyword

new amount of memory in KB

audit.kernel.data.seperm

type: keyword

SELinux permission being decided on

audit.kernel.data.enforcing

type: keyword

new MAC enforcement status

audit.kernel.data.new-chardev

type: keyword

new character device being assigned to vm

audit.kernel.data.old-rng

type: keyword

device name of rng being removed from a vm

audit.kernel.data.outif

type: keyword

out interface number

audit.kernel.data.cmd

type: keyword

command being executed

audit.kernel.data.hook

type: keyword

netfilter hook that packet came from

audit.kernel.data.new-level

type: keyword

new run level

audit.kernel.data.sauid

type: keyword

sent login user ID

audit.kernel.data.sig

type: keyword

signal number

audit.kernel.data.audit_backlog_wait_time

type: keyword

audit system’s backlog wait time

audit.kernel.data.printer

type: keyword

printer name

audit.kernel.data.old-mem

type: keyword

present amount of memory in KB

audit.kernel.data.perm

type: keyword

the file permission being used

audit.kernel.data.old_pi

type: keyword

old process inherited capability map

audit.kernel.data.state

type: keyword

audit daemon configuration resulting state

audit.kernel.data.format

type: keyword

audit log’s format

audit.kernel.data.new_gid

type: keyword

new group ID being assigned

audit.kernel.data.tcontext

type: keyword

the target’s or object’s context string

audit.kernel.data.maj

type: keyword

device major number

audit.kernel.data.watch

type: keyword

file name in a watch record

audit.kernel.data.device

type: keyword

device name

audit.kernel.data.grp

type: keyword

group name

audit.kernel.data.bool

type: keyword

name of SELinux boolean

audit.kernel.data.icmp_type

type: keyword

type of icmp message

audit.kernel.data.new_lock

type: keyword

new value of feature lock

audit.kernel.data.old_prom

type: keyword

network promiscuity flag

audit.kernel.data.acl

type: keyword

access mode of resource assigned to vm

audit.kernel.data.ip

type: keyword

network address of a printer

audit.kernel.data.new_pi

type: keyword

new process inherited capability map

audit.kernel.data.default-context

type: keyword

default MAC context

audit.kernel.data.inode_gid

type: keyword

group ID of the inode’s owner

audit.kernel.data.new-log_passwd

type: keyword

new value for TTY password logging

audit.kernel.data.new_pe

type: keyword

new process effective capability map

audit.kernel.data.selected-context

type: keyword

new MAC context assigned to session

audit.kernel.data.cap_fver

type: keyword

file system capabilities version number

audit.kernel.data.file

type: keyword

file name

audit.kernel.data.net

type: keyword

network MAC address

audit.kernel.data.virt

type: keyword

kind of virtualization being referenced

audit.kernel.data.cap_pp

type: keyword

process permitted capability map

audit.kernel.data.old-range

type: keyword

present SELinux range

audit.kernel.data.resrc

type: keyword

resource being assigned

audit.kernel.data.new-range

type: keyword

new SELinux range

audit.kernel.data.obj_gid

type: keyword

group ID of object

audit.kernel.data.proto

type: keyword

network protocol

audit.kernel.data.old-disk

type: keyword

disk being removed from vm

audit.kernel.data.audit_failure

type: keyword

audit system’s failure mode

audit.kernel.data.inif

type: keyword

in interface number

audit.kernel.data.vm

type: keyword

virtual machine name

audit.kernel.data.flags

type: keyword

mmap syscall flags

audit.kernel.data.nlnk-fam

type: keyword

netlink protocol number

audit.kernel.data.old-fs

type: keyword

file system being removed from vm

audit.kernel.data.old-ses

type: keyword

previous ses value

audit.kernel.data.seqno

type: keyword

sequence number

audit.kernel.data.fver

type: keyword

file system capabilities version number

audit.kernel.data.qbytes

type: keyword

ipc objects quantity of bytes

audit.kernel.data.seuser

type: keyword

user’s SE Linux user acct

audit.kernel.data.cap_fe

type: keyword

file assigned effective capability map

audit.kernel.data.new-vcpu

type: keyword

new number of CPU cores

audit.kernel.data.old-level

type: keyword

old run level

audit.kernel.data.old_pp

type: keyword

old process permitted capability map

audit.kernel.data.daddr

type: keyword

remote IP address

audit.kernel.data.old-role

type: keyword

present SELinux role

audit.kernel.data.ioctlcmd

type: keyword

The request argument to the ioctl syscall

audit.kernel.data.smac

type: keyword

local MAC address

audit.kernel.data.apparmor

type: keyword

apparmor event information

audit.kernel.data.fe

type: keyword

file assigned effective capability map

audit.kernel.data.perm_mask

type: keyword

file permission mask that triggered a watch event

audit.kernel.data.ses

type: keyword

login session ID

audit.kernel.data.cap_fi

type: keyword

file inherited capability map

audit.kernel.data.obj_uid

type: keyword

user ID of object

audit.kernel.data.reason

type: keyword

text string denoting a reason for the action

audit.kernel.data.list

type: keyword

the audit system’s filter list number

audit.kernel.data.old_lock

type: keyword

present value of feature lock

audit.kernel.data.bus

type: keyword

name of subsystem bus a vm resource belongs to

audit.kernel.data.old_pe

type: keyword

old process effective capability map

audit.kernel.data.new-role

type: keyword

new SELinux role

audit.kernel.data.prom

type: keyword

network promiscuity flag

audit.kernel.data.uri

type: keyword

URI pointing to a printer

audit.kernel.data.audit_enabled

type: keyword

audit systems’s enable/disable status

audit.kernel.data.old-log_passwd

type: keyword

present value for TTY password logging

audit.kernel.data.old-seuser

type: keyword

present SELinux user

audit.kernel.data.per

type: keyword

linux personality

audit.kernel.data.scontext

type: keyword

the subject’s context string

audit.kernel.data.tclass

type: keyword

target’s object classification

audit.kernel.data.ver

type: keyword

audit daemon’s version number

audit.kernel.data.new

type: keyword

value being set in feature

audit.kernel.data.val

type: keyword

generic value associated with the operation

audit.kernel.data.img-ctx

type: keyword

the vm’s disk image context string

audit.kernel.data.old-chardev

type: keyword

present character device assigned to vm

audit.kernel.data.old_val

type: keyword

current value of SELinux boolean

audit.kernel.data.success

type: keyword

whether the syscall was successful or not

audit.kernel.data.inode_uid

type: keyword

user ID of the inode’s owner

audit.kernel.data.removed

type: keyword

number of deleted files

audit.kernel.messages

type: text

An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if kernel.include_raw_message is set in the config.

audit.kernel.warnings

type: keyword

The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.

geoip Fields

Contains GeoIP information gathered based on the os_events.audit.addr field. Only present if the GeoIP Elasticsearch plugin is available and used.

audit.kernel.geoip.continent_name

type: keyword

The name of the continent.

audit.kernel.geoip.city_name

type: keyword

The name of the city.

audit.kernel.geoip.region_name

type: keyword

The name of the region.

audit.kernel.geoip.country_iso_code

type: keyword

Country ISO code.

audit.kernel.geoip.location

type: geo_point

The longitude and latitude.