WARNING: Version 6.1 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Audit fieldsedit
The audit
module reports security-relevant information based on data captured from the operating system (OS) or services running on the OS.
audit fieldsedit
file fieldsedit
The file metricset generates events when a file changes on disk.
audit.file.path
edit
type: text
The path to the file.
audit.file.path.raw
edit
type: keyword
The path to the file. This is an non-analyzed field that is useful for aggregations.
audit.file.target_path
edit
type: keyword
The target path for symlinks.
audit.file.action
edit
type: keyword
example: attributes_modified
Action describes the change that triggered the event. The possible values are: attributes_modified, created, deleted, updated, moved, and config_change.
audit.file.type
edit
type: keyword
The file type (file, dir, or symlink).
audit.file.inode
edit
type: keyword
The inode representing the file in the filesystem.
audit.file.uid
edit
type: keyword
The user ID (UID) of the file owner.
audit.file.owner
edit
type: keyword
The file owner’s username.
audit.file.gid
edit
type: keyword
The primary group ID (GID) of the file.
audit.file.group
edit
type: keyword
The primary group name of the file.
audit.file.sid
edit
type: keyword
The security identifier (SID) of the file owner (Windows only).
audit.file.mode
edit
type: keyword
example: 416
The mode of the file in octal representation.
audit.file.size
edit
type: long
The file size in bytes (field is only added when type
is file
).
audit.file.mtime
edit
type: date
The last modified time of the file (time when content was modified).
audit.file.ctime
edit
type: date
The last change time of the file (time when metadata was changed).
audit.file.hashed
edit
type: boolean
Boolean indicating if the event includes any file hashes.
audit.file.md5
edit
type: keyword
MD5 hash of the file.
audit.file.sha1
edit
type: keyword
SHA1 hash of the file.
audit.file.sha224
edit
type: keyword
SHA224 hash of the file.
audit.file.sha256
edit
type: keyword
SHA256 hash of the file.
audit.file.sha384
edit
type: keyword
SHA384 hash of the file.
audit.file.sha3_224
edit
type: keyword
SHA3_224 hash of the file.
audit.file.sha3_256
edit
type: keyword
SHA3_256 hash of the file.
audit.file.sha3_384
edit
type: keyword
SHA3_384 hash of the file.
audit.file.sha3_512
edit
type: keyword
SHA3_512 hash of the file.
audit.file.sha512
edit
type: keyword
SHA512 hash of the file.
audit.file.sha512_224
edit
type: keyword
SHA512/224 hash of the file.
audit.file.sha512_256
edit
type: keyword
SHA512/256 hash of the file.
kernel fieldsedit
The kernel metricset distributes audit events received from the Linux Audit Framework that is a part of the Linux kernel.
audit.kernel.action
edit
type: keyword
example: logged-in
A description of the action taken by the user.
actor fieldsedit
The actor is the user that triggered the audit event.
attrs fieldsedit
Attributes of the actor.
audit.kernel.actor.attrs.auid
edit
type: keyword
login user ID
audit.kernel.actor.attrs.uid
edit
type: keyword
user ID
audit.kernel.actor.attrs.euid
edit
type: keyword
effective user ID
audit.kernel.actor.attrs.fsuid
edit
type: keyword
file system user ID
audit.kernel.actor.attrs.suid
edit
type: keyword
sent user ID
audit.kernel.actor.attrs.gid
edit
type: keyword
group ID
audit.kernel.actor.attrs.egid
edit
type: keyword
effective group ID
audit.kernel.actor.attrs.sgid
edit
type: keyword
set group ID
audit.kernel.actor.attrs.fsgid
edit
type: keyword
file system group ID
audit.kernel.actor.primary
edit
type: keyword
The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.
audit.kernel.actor.secondary
edit
type: keyword
The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su
.
selinux fieldsedit
The SELinux identity of the actor.
audit.kernel.actor.selinux.user
edit
type: keyword
account submitted for authentication
audit.kernel.actor.selinux.role
edit
type: keyword
user’s SELinux role
audit.kernel.actor.selinux.domain
edit
type: keyword
The actor’s SELinux domain or type.
audit.kernel.actor.selinux.level
edit
type: keyword
example: s0
The actor’s SELinux level.
audit.kernel.actor.selinux.category
edit
type: keyword
The actor’s SELinux category or compartments.
audit.kernel.category
edit
type: keyword
example: audit-rule
The event’s category is a value derived from the record_type
.
audit.kernel.sequence
edit
type: long
The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
audit.kernel.session
edit
type: keyword
The session ID assigned to a login. All events related to a login session will have the same value.
paths fieldsedit
List of paths associated with the event.
audit.kernel.paths.inode
edit
type: keyword
inode number
audit.kernel.paths.dev
edit
type: keyword
device name as found in /dev
audit.kernel.paths.obj_user
edit
type: keyword
audit.kernel.paths.obj_role
edit
type: keyword
audit.kernel.paths.obj_domain
edit
type: keyword
audit.kernel.paths.obj_level
edit
type: keyword
audit.kernel.paths.objtype
edit
type: keyword
audit.kernel.paths.ouid
edit
type: keyword
file owner user ID
audit.kernel.paths.rdev
edit
type: keyword
the device identifier (special files only)
audit.kernel.paths.nametype
edit
type: keyword
kind of file operation being referenced
audit.kernel.paths.ogid
edit
type: keyword
file owner group ID
audit.kernel.paths.item
edit
type: keyword
which item is being recorded
audit.kernel.paths.mode
edit
type: keyword
mode flags on a file
audit.kernel.paths.name
edit
type: keyword
file name in avcs
audit.kernel.record_type
edit
type: keyword
The audit record’s type.
socket fieldsedit
Socket data from sockaddr messages.
audit.kernel.socket.port
edit
type: keyword
The port number.
audit.kernel.socket.saddr
edit
type: keyword
The raw socket address structure.
audit.kernel.socket.addr
edit
type: keyword
The remote address.
audit.kernel.socket.family
edit
type: keyword
example: unix
The socket family (unix, ipv4, ipv6, netlink).
audit.kernel.socket.path
edit
type: keyword
This is the path associated with a unix socket.
thing fieldsedit
This is the thing or object being acted upon in the event.
audit.kernel.thing.what
edit
type: keyword
A description of the what the "thing" is (e.g. file, socket, user-session).
audit.kernel.thing.primary
edit
type: keyword
audit.kernel.thing.secondary
edit
type: keyword
selinux fieldsedit
The SELinux identity of the object.
audit.kernel.thing.selinux.user
edit
type: keyword
The owner of the object.
audit.kernel.thing.selinux.role
edit
type: keyword
The object’s SELinux role.
audit.kernel.thing.selinux.domain
edit
type: keyword
The object’s SELinux domain or type.
audit.kernel.thing.selinux.level
edit
type: keyword
example: s0
The object’s SELinux level.
audit.kernel.how
edit
type: keyword
This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
audit.kernel.key
edit
type: keyword
The key assigned to the audit rule that triggered the event.
audit.kernel.result
edit
type: keyword
example: success or fail
The result of the audited operation (success/fail).
data fieldsedit
The data from the audit messages.
audit.kernel.data.action
edit
type: keyword
netfilter packet disposition
audit.kernel.data.minor
edit
type: keyword
device minor number
audit.kernel.data.acct
edit
type: keyword
a user’s account name
audit.kernel.data.addr
edit
type: keyword
the remote address that the user is connecting from
audit.kernel.data.cipher
edit
type: keyword
name of crypto cipher selected
audit.kernel.data.id
edit
type: keyword
during account changes
audit.kernel.data.entries
edit
type: keyword
number of entries in the netfilter table
audit.kernel.data.kind
edit
type: keyword
server or client in crypto operation
audit.kernel.data.ksize
edit
type: keyword
key size for crypto operation
audit.kernel.data.spid
edit
type: keyword
sent process ID
audit.kernel.data.arch
edit
type: keyword
the elf architecture flags
audit.kernel.data.argc
edit
type: keyword
the number of arguments to an execve syscall
audit.kernel.data.major
edit
type: keyword
device major number
audit.kernel.data.unit
edit
type: keyword
systemd unit
audit.kernel.data.table
edit
type: keyword
netfilter table name
audit.kernel.data.terminal
edit
type: keyword
terminal name the user is running programs on
audit.kernel.data.comm
edit
type: keyword
command line program name
audit.kernel.data.exe
edit
type: keyword
executable name
audit.kernel.data.grantors
edit
type: keyword
pam modules approving the action
audit.kernel.data.pid
edit
type: keyword
process ID
audit.kernel.data.direction
edit
type: keyword
direction of crypto operation
audit.kernel.data.op
edit
type: keyword
the operation being performed that is audited
audit.kernel.data.tty
edit
type: keyword
tty udevice the user is running programs on
audit.kernel.data.proctitle
edit
type: keyword
process title and command line parameters
audit.kernel.data.syscall
edit
type: keyword
syscall number in effect when the event occurred
audit.kernel.data.data
edit
type: keyword
TTY text
audit.kernel.data.family
edit
type: keyword
netfilter protocol
audit.kernel.data.mac
edit
type: keyword
crypto MAC algorithm selected
audit.kernel.data.pfs
edit
type: keyword
perfect forward secrecy method
audit.kernel.data.items
edit
type: keyword
the number of path records in the event
audit.kernel.data.a0
edit
type: keyword
audit.kernel.data.a1
edit
type: keyword
audit.kernel.data.a2
edit
type: keyword
audit.kernel.data.a3
edit
type: keyword
audit.kernel.data.cwd
edit
type: keyword
the current working directory
audit.kernel.data.hostname
edit
type: keyword
the hostname that the user is connecting from
audit.kernel.data.lport
edit
type: keyword
local network port
audit.kernel.data.ppid
edit
type: keyword
parent process ID
audit.kernel.data.rport
edit
type: keyword
remote port number
audit.kernel.data.cmdline
edit
type: keyword
The full command line from the execve message.
audit.kernel.data.exit
edit
type: keyword
syscall exit code
audit.kernel.data.fp
edit
type: keyword
crypto key finger print
audit.kernel.data.laddr
edit
type: keyword
local network address
audit.kernel.data.sport
edit
type: keyword
local port number
audit.kernel.data.capability
edit
type: keyword
posix capabilities
audit.kernel.data.nargs
edit
type: keyword
the number of arguments to a socket call
audit.kernel.data.new-enabled
edit
type: keyword
new TTY audit enabled setting
audit.kernel.data.audit_backlog_limit
edit
type: keyword
audit system’s backlog queue size
audit.kernel.data.dir
edit
type: keyword
directory name
audit.kernel.data.cap_pe
edit
type: keyword
process effective capability map
audit.kernel.data.model
edit
type: keyword
security model being used for virt
audit.kernel.data.new_pp
edit
type: keyword
new process permitted capability map
audit.kernel.data.old-enabled
edit
type: keyword
present TTY audit enabled setting
audit.kernel.data.oauid
edit
type: keyword
object’s login user ID
audit.kernel.data.old
edit
type: keyword
old value
audit.kernel.data.banners
edit
type: keyword
banners used on printed page
audit.kernel.data.feature
edit
type: keyword
kernel feature being changed
audit.kernel.data.vm-ctx
edit
type: keyword
the vm’s context string
audit.kernel.data.opid
edit
type: keyword
object’s process ID
audit.kernel.data.seperms
edit
type: keyword
SELinux permissions being used
audit.kernel.data.seresult
edit
type: keyword
SELinux AVC decision granted/denied
audit.kernel.data.new-rng
edit
type: keyword
device name of rng being added from a vm
audit.kernel.data.old-net
edit
type: keyword
present MAC address assigned to vm
audit.kernel.data.sigev_signo
edit
type: keyword
signal number
audit.kernel.data.ino
edit
type: keyword
inode number
audit.kernel.data.old_enforcing
edit
type: keyword
old MAC enforcement status
audit.kernel.data.old-vcpu
edit
type: keyword
present number of CPU cores
audit.kernel.data.range
edit
type: keyword
user’s SE Linux range
audit.kernel.data.res
edit
type: keyword
result of the audited operation(success/fail)
audit.kernel.data.added
edit
type: keyword
number of new files detected
audit.kernel.data.fam
edit
type: keyword
socket address family
audit.kernel.data.nlnk-pid
edit
type: keyword
pid of netlink packet sender
audit.kernel.data.subj
edit
type: keyword
lspp subject’s context string
audit.kernel.data.a[0-3]
edit
type: keyword
the arguments to a syscall
audit.kernel.data.cgroup
edit
type: keyword
path to cgroup in sysfs
audit.kernel.data.kernel
edit
type: keyword
kernel’s version number
audit.kernel.data.ocomm
edit
type: keyword
object’s command line name
audit.kernel.data.new-net
edit
type: keyword
MAC address being assigned to vm
audit.kernel.data.permissive
edit
type: keyword
SELinux is in permissive mode
audit.kernel.data.class
edit
type: keyword
resource class assigned to vm
audit.kernel.data.compat
edit
type: keyword
is_compat_task result
audit.kernel.data.fi
edit
type: keyword
file assigned inherited capability map
audit.kernel.data.changed
edit
type: keyword
number of changed files
audit.kernel.data.msg
edit
type: keyword
the payload of the audit record
audit.kernel.data.dport
edit
type: keyword
remote port number
audit.kernel.data.new-seuser
edit
type: keyword
new SELinux user
audit.kernel.data.invalid_context
edit
type: keyword
SELinux context
audit.kernel.data.dmac
edit
type: keyword
remote MAC address
audit.kernel.data.ipx-net
edit
type: keyword
IPX network number
audit.kernel.data.iuid
edit
type: keyword
ipc object’s user ID
audit.kernel.data.macproto
edit
type: keyword
ethernet packet type ID field
audit.kernel.data.obj
edit
type: keyword
lspp object context string
audit.kernel.data.a[[:digit:]+]\[.*\]
edit
type: keyword
the arguments to the execve syscall
audit.kernel.data.ipid
edit
type: keyword
IP datagram fragment identifier
audit.kernel.data.new-fs
edit
type: keyword
file system being added to vm
audit.kernel.data.vm-pid
edit
type: keyword
vm’s process ID
audit.kernel.data.cap_pi
edit
type: keyword
process inherited capability map
audit.kernel.data.old-auid
edit
type: keyword
previous auid value
audit.kernel.data.oses
edit
type: keyword
object’s session ID
audit.kernel.data.fd
edit
type: keyword
file descriptor number
audit.kernel.data.igid
edit
type: keyword
ipc object’s group ID
audit.kernel.data.new-disk
edit
type: keyword
disk being added to vm
audit.kernel.data.parent
edit
type: keyword
the inode number of the parent file
audit.kernel.data.len
edit
type: keyword
length
audit.kernel.data.oflag
edit
type: keyword
open syscall flags
audit.kernel.data.uuid
edit
type: keyword
a UUID
audit.kernel.data.code
edit
type: keyword
seccomp action code
audit.kernel.data.nlnk-grp
edit
type: keyword
netlink group number
audit.kernel.data.cap_fp
edit
type: keyword
file permitted capability map
audit.kernel.data.new-mem
edit
type: keyword
new amount of memory in KB
audit.kernel.data.seperm
edit
type: keyword
SELinux permission being decided on
audit.kernel.data.enforcing
edit
type: keyword
new MAC enforcement status
audit.kernel.data.new-chardev
edit
type: keyword
new character device being assigned to vm
audit.kernel.data.old-rng
edit
type: keyword
device name of rng being removed from a vm
audit.kernel.data.outif
edit
type: keyword
out interface number
audit.kernel.data.cmd
edit
type: keyword
command being executed
audit.kernel.data.hook
edit
type: keyword
netfilter hook that packet came from
audit.kernel.data.new-level
edit
type: keyword
new run level
audit.kernel.data.sauid
edit
type: keyword
sent login user ID
audit.kernel.data.sig
edit
type: keyword
signal number
audit.kernel.data.audit_backlog_wait_time
edit
type: keyword
audit system’s backlog wait time
audit.kernel.data.printer
edit
type: keyword
printer name
audit.kernel.data.old-mem
edit
type: keyword
present amount of memory in KB
audit.kernel.data.perm
edit
type: keyword
the file permission being used
audit.kernel.data.old_pi
edit
type: keyword
old process inherited capability map
audit.kernel.data.state
edit
type: keyword
audit daemon configuration resulting state
audit.kernel.data.format
edit
type: keyword
audit log’s format
audit.kernel.data.new_gid
edit
type: keyword
new group ID being assigned
audit.kernel.data.tcontext
edit
type: keyword
the target’s or object’s context string
audit.kernel.data.maj
edit
type: keyword
device major number
audit.kernel.data.watch
edit
type: keyword
file name in a watch record
audit.kernel.data.device
edit
type: keyword
device name
audit.kernel.data.grp
edit
type: keyword
group name
audit.kernel.data.bool
edit
type: keyword
name of SELinux boolean
audit.kernel.data.icmp_type
edit
type: keyword
type of icmp message
audit.kernel.data.new_lock
edit
type: keyword
new value of feature lock
audit.kernel.data.old_prom
edit
type: keyword
network promiscuity flag
audit.kernel.data.acl
edit
type: keyword
access mode of resource assigned to vm
audit.kernel.data.ip
edit
type: keyword
network address of a printer
audit.kernel.data.new_pi
edit
type: keyword
new process inherited capability map
audit.kernel.data.default-context
edit
type: keyword
default MAC context
audit.kernel.data.inode_gid
edit
type: keyword
group ID of the inode’s owner
audit.kernel.data.new-log_passwd
edit
type: keyword
new value for TTY password logging
audit.kernel.data.new_pe
edit
type: keyword
new process effective capability map
audit.kernel.data.selected-context
edit
type: keyword
new MAC context assigned to session
audit.kernel.data.cap_fver
edit
type: keyword
file system capabilities version number
audit.kernel.data.file
edit
type: keyword
file name
audit.kernel.data.net
edit
type: keyword
network MAC address
audit.kernel.data.virt
edit
type: keyword
kind of virtualization being referenced
audit.kernel.data.cap_pp
edit
type: keyword
process permitted capability map
audit.kernel.data.old-range
edit
type: keyword
present SELinux range
audit.kernel.data.resrc
edit
type: keyword
resource being assigned
audit.kernel.data.new-range
edit
type: keyword
new SELinux range
audit.kernel.data.obj_gid
edit
type: keyword
group ID of object
audit.kernel.data.proto
edit
type: keyword
network protocol
audit.kernel.data.old-disk
edit
type: keyword
disk being removed from vm
audit.kernel.data.audit_failure
edit
type: keyword
audit system’s failure mode
audit.kernel.data.inif
edit
type: keyword
in interface number
audit.kernel.data.vm
edit
type: keyword
virtual machine name
audit.kernel.data.flags
edit
type: keyword
mmap syscall flags
audit.kernel.data.nlnk-fam
edit
type: keyword
netlink protocol number
audit.kernel.data.old-fs
edit
type: keyword
file system being removed from vm
audit.kernel.data.old-ses
edit
type: keyword
previous ses value
audit.kernel.data.seqno
edit
type: keyword
sequence number
audit.kernel.data.fver
edit
type: keyword
file system capabilities version number
audit.kernel.data.qbytes
edit
type: keyword
ipc objects quantity of bytes
audit.kernel.data.seuser
edit
type: keyword
user’s SE Linux user acct
audit.kernel.data.cap_fe
edit
type: keyword
file assigned effective capability map
audit.kernel.data.new-vcpu
edit
type: keyword
new number of CPU cores
audit.kernel.data.old-level
edit
type: keyword
old run level
audit.kernel.data.old_pp
edit
type: keyword
old process permitted capability map
audit.kernel.data.daddr
edit
type: keyword
remote IP address
audit.kernel.data.old-role
edit
type: keyword
present SELinux role
audit.kernel.data.ioctlcmd
edit
type: keyword
The request argument to the ioctl syscall
audit.kernel.data.smac
edit
type: keyword
local MAC address
audit.kernel.data.apparmor
edit
type: keyword
apparmor event information
audit.kernel.data.fe
edit
type: keyword
file assigned effective capability map
audit.kernel.data.perm_mask
edit
type: keyword
file permission mask that triggered a watch event
audit.kernel.data.ses
edit
type: keyword
login session ID
audit.kernel.data.cap_fi
edit
type: keyword
file inherited capability map
audit.kernel.data.obj_uid
edit
type: keyword
user ID of object
audit.kernel.data.reason
edit
type: keyword
text string denoting a reason for the action
audit.kernel.data.list
edit
type: keyword
the audit system’s filter list number
audit.kernel.data.old_lock
edit
type: keyword
present value of feature lock
audit.kernel.data.bus
edit
type: keyword
name of subsystem bus a vm resource belongs to
audit.kernel.data.old_pe
edit
type: keyword
old process effective capability map
audit.kernel.data.new-role
edit
type: keyword
new SELinux role
audit.kernel.data.prom
edit
type: keyword
network promiscuity flag
audit.kernel.data.uri
edit
type: keyword
URI pointing to a printer
audit.kernel.data.audit_enabled
edit
type: keyword
audit systems’s enable/disable status
audit.kernel.data.old-log_passwd
edit
type: keyword
present value for TTY password logging
audit.kernel.data.old-seuser
edit
type: keyword
present SELinux user
audit.kernel.data.per
edit
type: keyword
linux personality
audit.kernel.data.scontext
edit
type: keyword
the subject’s context string
audit.kernel.data.tclass
edit
type: keyword
target’s object classification
audit.kernel.data.ver
edit
type: keyword
audit daemon’s version number
audit.kernel.data.new
edit
type: keyword
value being set in feature
audit.kernel.data.val
edit
type: keyword
generic value associated with the operation
audit.kernel.data.img-ctx
edit
type: keyword
the vm’s disk image context string
audit.kernel.data.old-chardev
edit
type: keyword
present character device assigned to vm
audit.kernel.data.old_val
edit
type: keyword
current value of SELinux boolean
audit.kernel.data.success
edit
type: keyword
whether the syscall was successful or not
audit.kernel.data.inode_uid
edit
type: keyword
user ID of the inode’s owner
audit.kernel.data.removed
edit
type: keyword
number of deleted files
audit.kernel.messages
edit
type: text
An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if kernel.include_raw_message
is set in the config.
audit.kernel.warnings
edit
type: keyword
The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
geoip fieldsedit
Contains GeoIP information gathered based on the os_events.audit.addr
field. Only present if the GeoIP Elasticsearch plugin is available and used.
audit.kernel.geoip.continent_name
edit
type: keyword
The name of the continent.
audit.kernel.geoip.city_name
edit
type: keyword
The name of the city.
audit.kernel.geoip.region_name
edit
type: keyword
The name of the region.
audit.kernel.geoip.country_iso_code
edit
type: keyword
Country ISO code.
audit.kernel.geoip.location
edit
type: geo_point
The longitude and latitude.