WARNING: Version 6.2 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Auditd fieldsedit
These are the fields generated by the auditd module.
event.categoryedit
type: keyword
example: audit-rule
The event’s category is a value derived from the record_type.
event.typeedit
type: keyword
The audit record’s type.
user.auidedit
type: keyword
login user ID
user.uidedit
type: keyword
user ID
user.euidedit
type: keyword
effective user ID
user.fsuidedit
type: keyword
file system user ID
user.suidedit
type: keyword
sent user ID
user.gidedit
type: keyword
group ID
user.egidedit
type: keyword
effective group ID
user.sgidedit
type: keyword
set group ID
user.fsgidedit
type: keyword
file system group ID
name_map fieldsedit
If resolve_ids is set to true in the configuration then name_map will contain a mapping of uid field names to the resolved name (e.g. auid → root).
user.name_map.auidedit
type: keyword
login user name
user.name_map.uidedit
type: keyword
user name
user.name_map.euidedit
type: keyword
effective user name
user.name_map.fsuidedit
type: keyword
file system user name
user.name_map.suidedit
type: keyword
sent user name
user.name_map.gidedit
type: keyword
group name
user.name_map.egidedit
type: keyword
effective group name
user.name_map.sgidedit
type: keyword
set group name
user.name_map.fsgidedit
type: keyword
file system group name
selinux fieldsedit
The SELinux identity of the actor.
user.selinux.useredit
type: keyword
account submitted for authentication
user.selinux.roleedit
type: keyword
user’s SELinux role
user.selinux.domainedit
type: keyword
The actor’s SELinux domain or type.
user.selinux.leveledit
type: keyword
example: s0
The actor’s SELinux level.
user.selinux.categoryedit
type: keyword
The actor’s SELinux category or compartments.
process fieldsedit
Process attributes.
process.pidedit
type: keyword
Process ID.
process.ppidedit
type: keyword
Parent process ID.
process.nameedit
type: keyword
Process name (comm).
process.titleedit
type: keyword
Process title or command line parameters (proctitle).
process.exeedit
type: keyword
Absolute path of the executable.
process.cwdedit
type: keyword
The current working directory.
process.argsedit
type: keyword
The process arguments as a list.
source fieldsedit
Source that triggered the event.
source.ipedit
type: ip
The remote address.
source.portedit
type: keyword
The port number.
source.hostnameedit
type: keyword
Hostname of the source.
source.pathedit
type: keyword
This is the path associated with a unix socket.
destination fieldsedit
Destination address that triggered the event.
destination.ipedit
type: ip
The remote address.
destination.portedit
type: keyword
The port number.
destination.hostnameedit
type: keyword
Hostname of the source.
destination.pathedit
type: keyword
This is the path associated with a unix socket.
network.directionedit
type: keyword
Direction of the network traffic (incoming or outgoing).
auditd.sequenceedit
type: long
The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
auditd.sessionedit
type: keyword
The session ID assigned to a login. All events related to a login session will have the same value.
auditd.resultedit
type: keyword
example: success or fail
The result of the audited operation (success/fail).
actor fieldsedit
The actor is the user that triggered the audit event.
auditd.summary.actor.primaryedit
type: keyword
The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.
auditd.summary.actor.secondaryedit
type: keyword
The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su.
object fieldsedit
This is the thing or object being acted upon in the event.
auditd.summary.object.typeedit
type: keyword
A description of the what the "thing" is (e.g. file, socket, user-session).
auditd.summary.object.primaryedit
type: keyword
auditd.summary.object.secondaryedit
type: keyword
auditd.summary.howedit
type: keyword
This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
paths fieldsedit
List of paths associated with the event.
auditd.paths.inodeedit
type: keyword
inode number
auditd.paths.devedit
type: keyword
device name as found in /dev
auditd.paths.obj_useredit
type: keyword
auditd.paths.obj_roleedit
type: keyword
auditd.paths.obj_domainedit
type: keyword
auditd.paths.obj_leveledit
type: keyword
auditd.paths.objtypeedit
type: keyword
auditd.paths.ouidedit
type: keyword
file owner user ID
auditd.paths.rdevedit
type: keyword
the device identifier (special files only)
auditd.paths.nametypeedit
type: keyword
kind of file operation being referenced
auditd.paths.ogidedit
type: keyword
file owner group ID
auditd.paths.itemedit
type: keyword
which item is being recorded
auditd.paths.modeedit
type: keyword
mode flags on a file
auditd.paths.nameedit
type: keyword
file name in avcs
data fieldsedit
The data from the audit messages.
auditd.data.actionedit
type: keyword
netfilter packet disposition
auditd.data.minoredit
type: keyword
device minor number
auditd.data.acctedit
type: keyword
a user’s account name
auditd.data.addredit
type: keyword
the remote address that the user is connecting from
auditd.data.cipheredit
type: keyword
name of crypto cipher selected
auditd.data.idedit
type: keyword
during account changes
auditd.data.entriesedit
type: keyword
number of entries in the netfilter table
auditd.data.kindedit
type: keyword
server or client in crypto operation
auditd.data.ksizeedit
type: keyword
key size for crypto operation
auditd.data.spidedit
type: keyword
sent process ID
auditd.data.archedit
type: keyword
the elf architecture flags
auditd.data.argcedit
type: keyword
the number of arguments to an execve syscall
auditd.data.majoredit
type: keyword
device major number
auditd.data.unitedit
type: keyword
systemd unit
auditd.data.tableedit
type: keyword
netfilter table name
auditd.data.terminaledit
type: keyword
terminal name the user is running programs on
auditd.data.grantorsedit
type: keyword
pam modules approving the action
auditd.data.directionedit
type: keyword
direction of crypto operation
auditd.data.opedit
type: keyword
the operation being performed that is audited
auditd.data.ttyedit
type: keyword
tty udevice the user is running programs on
auditd.data.syscalledit
type: keyword
syscall number in effect when the event occurred
auditd.data.dataedit
type: keyword
TTY text
auditd.data.familyedit
type: keyword
netfilter protocol
auditd.data.macedit
type: keyword
crypto MAC algorithm selected
auditd.data.pfsedit
type: keyword
perfect forward secrecy method
auditd.data.itemsedit
type: keyword
the number of path records in the event
auditd.data.a0edit
type: keyword
auditd.data.a1edit
type: keyword
auditd.data.a2edit
type: keyword
auditd.data.a3edit
type: keyword
auditd.data.hostnameedit
type: keyword
the hostname that the user is connecting from
auditd.data.lportedit
type: keyword
local network port
auditd.data.rportedit
type: keyword
remote port number
auditd.data.exitedit
type: keyword
syscall exit code
auditd.data.fpedit
type: keyword
crypto key finger print
auditd.data.laddredit
type: keyword
local network address
auditd.data.sportedit
type: keyword
local port number
auditd.data.capabilityedit
type: keyword
posix capabilities
auditd.data.nargsedit
type: keyword
the number of arguments to a socket call
auditd.data.new-enablededit
type: keyword
new TTY audit enabled setting
auditd.data.audit_backlog_limitedit
type: keyword
audit system’s backlog queue size
auditd.data.diredit
type: keyword
directory name
auditd.data.cap_peedit
type: keyword
process effective capability map
auditd.data.modeledit
type: keyword
security model being used for virt
auditd.data.new_ppedit
type: keyword
new process permitted capability map
auditd.data.old-enablededit
type: keyword
present TTY audit enabled setting
auditd.data.oauidedit
type: keyword
object’s login user ID
auditd.data.oldedit
type: keyword
old value
auditd.data.bannersedit
type: keyword
banners used on printed page
auditd.data.featureedit
type: keyword
kernel feature being changed
auditd.data.vm-ctxedit
type: keyword
the vm’s context string
auditd.data.opidedit
type: keyword
object’s process ID
auditd.data.sepermsedit
type: keyword
SELinux permissions being used
auditd.data.seresultedit
type: keyword
SELinux AVC decision granted/denied
auditd.data.new-rngedit
type: keyword
device name of rng being added from a vm
auditd.data.old-netedit
type: keyword
present MAC address assigned to vm
auditd.data.sigev_signoedit
type: keyword
signal number
auditd.data.inoedit
type: keyword
inode number
auditd.data.old_enforcingedit
type: keyword
old MAC enforcement status
auditd.data.old-vcpuedit
type: keyword
present number of CPU cores
auditd.data.rangeedit
type: keyword
user’s SE Linux range
auditd.data.resedit
type: keyword
result of the audited operation(success/fail)
auditd.data.addededit
type: keyword
number of new files detected
auditd.data.famedit
type: keyword
socket address family
auditd.data.nlnk-pidedit
type: keyword
pid of netlink packet sender
auditd.data.subjedit
type: keyword
lspp subject’s context string
auditd.data.a[0-3]edit
type: keyword
the arguments to a syscall
auditd.data.cgroupedit
type: keyword
path to cgroup in sysfs
auditd.data.kerneledit
type: keyword
kernel’s version number
auditd.data.ocommedit
type: keyword
object’s command line name
auditd.data.new-netedit
type: keyword
MAC address being assigned to vm
auditd.data.permissiveedit
type: keyword
SELinux is in permissive mode
auditd.data.classedit
type: keyword
resource class assigned to vm
auditd.data.compatedit
type: keyword
is_compat_task result
auditd.data.fiedit
type: keyword
file assigned inherited capability map
auditd.data.changededit
type: keyword
number of changed files
auditd.data.msgedit
type: keyword
the payload of the audit record
auditd.data.dportedit
type: keyword
remote port number
auditd.data.new-seuseredit
type: keyword
new SELinux user
auditd.data.invalid_contextedit
type: keyword
SELinux context
auditd.data.dmacedit
type: keyword
remote MAC address
auditd.data.ipx-netedit
type: keyword
IPX network number
auditd.data.iuidedit
type: keyword
ipc object’s user ID
auditd.data.macprotoedit
type: keyword
ethernet packet type ID field
auditd.data.objedit
type: keyword
lspp object context string
auditd.data.ipidedit
type: keyword
IP datagram fragment identifier
auditd.data.new-fsedit
type: keyword
file system being added to vm
auditd.data.vm-pidedit
type: keyword
vm’s process ID
auditd.data.cap_piedit
type: keyword
process inherited capability map
auditd.data.old-auidedit
type: keyword
previous auid value
auditd.data.osesedit
type: keyword
object’s session ID
auditd.data.fdedit
type: keyword
file descriptor number
auditd.data.igidedit
type: keyword
ipc object’s group ID
auditd.data.new-diskedit
type: keyword
disk being added to vm
auditd.data.parentedit
type: keyword
the inode number of the parent file
auditd.data.lenedit
type: keyword
length
auditd.data.oflagedit
type: keyword
open syscall flags
auditd.data.uuidedit
type: keyword
a UUID
auditd.data.codeedit
type: keyword
seccomp action code
auditd.data.nlnk-grpedit
type: keyword
netlink group number
auditd.data.cap_fpedit
type: keyword
file permitted capability map
auditd.data.new-memedit
type: keyword
new amount of memory in KB
auditd.data.sepermedit
type: keyword
SELinux permission being decided on
auditd.data.enforcingedit
type: keyword
new MAC enforcement status
auditd.data.new-chardevedit
type: keyword
new character device being assigned to vm
auditd.data.old-rngedit
type: keyword
device name of rng being removed from a vm
auditd.data.outifedit
type: keyword
out interface number
auditd.data.cmdedit
type: keyword
command being executed
auditd.data.hookedit
type: keyword
netfilter hook that packet came from
auditd.data.new-leveledit
type: keyword
new run level
auditd.data.sauidedit
type: keyword
sent login user ID
auditd.data.sigedit
type: keyword
signal number
auditd.data.audit_backlog_wait_timeedit
type: keyword
audit system’s backlog wait time
auditd.data.printeredit
type: keyword
printer name
auditd.data.old-memedit
type: keyword
present amount of memory in KB
auditd.data.permedit
type: keyword
the file permission being used
auditd.data.old_piedit
type: keyword
old process inherited capability map
auditd.data.stateedit
type: keyword
audit daemon configuration resulting state
auditd.data.formatedit
type: keyword
audit log’s format
auditd.data.new_gidedit
type: keyword
new group ID being assigned
auditd.data.tcontextedit
type: keyword
the target’s or object’s context string
auditd.data.majedit
type: keyword
device major number
auditd.data.watchedit
type: keyword
file name in a watch record
auditd.data.deviceedit
type: keyword
device name
auditd.data.grpedit
type: keyword
group name
auditd.data.booledit
type: keyword
name of SELinux boolean
auditd.data.icmp_typeedit
type: keyword
type of icmp message
auditd.data.new_lockedit
type: keyword
new value of feature lock
auditd.data.old_promedit
type: keyword
network promiscuity flag
auditd.data.acledit
type: keyword
access mode of resource assigned to vm
auditd.data.ipedit
type: keyword
network address of a printer
auditd.data.new_piedit
type: keyword
new process inherited capability map
auditd.data.default-contextedit
type: keyword
default MAC context
auditd.data.inode_gidedit
type: keyword
group ID of the inode’s owner
auditd.data.new-log_passwdedit
type: keyword
new value for TTY password logging
auditd.data.new_peedit
type: keyword
new process effective capability map
auditd.data.selected-contextedit
type: keyword
new MAC context assigned to session
auditd.data.cap_fveredit
type: keyword
file system capabilities version number
auditd.data.fileedit
type: keyword
file name
auditd.data.netedit
type: keyword
network MAC address
auditd.data.virtedit
type: keyword
kind of virtualization being referenced
auditd.data.cap_ppedit
type: keyword
process permitted capability map
auditd.data.old-rangeedit
type: keyword
present SELinux range
auditd.data.resrcedit
type: keyword
resource being assigned
auditd.data.new-rangeedit
type: keyword
new SELinux range
auditd.data.obj_gidedit
type: keyword
group ID of object
auditd.data.protoedit
type: keyword
network protocol
auditd.data.old-diskedit
type: keyword
disk being removed from vm
auditd.data.audit_failureedit
type: keyword
audit system’s failure mode
auditd.data.inifedit
type: keyword
in interface number
auditd.data.vmedit
type: keyword
virtual machine name
auditd.data.flagsedit
type: keyword
mmap syscall flags
auditd.data.nlnk-famedit
type: keyword
netlink protocol number
auditd.data.old-fsedit
type: keyword
file system being removed from vm
auditd.data.old-sesedit
type: keyword
previous ses value
auditd.data.seqnoedit
type: keyword
sequence number
auditd.data.fveredit
type: keyword
file system capabilities version number
auditd.data.qbytesedit
type: keyword
ipc objects quantity of bytes
auditd.data.seuseredit
type: keyword
user’s SE Linux user acct
auditd.data.cap_feedit
type: keyword
file assigned effective capability map
auditd.data.new-vcpuedit
type: keyword
new number of CPU cores
auditd.data.old-leveledit
type: keyword
old run level
auditd.data.old_ppedit
type: keyword
old process permitted capability map
auditd.data.daddredit
type: keyword
remote IP address
auditd.data.old-roleedit
type: keyword
present SELinux role
auditd.data.ioctlcmdedit
type: keyword
The request argument to the ioctl syscall
auditd.data.smacedit
type: keyword
local MAC address
auditd.data.apparmoredit
type: keyword
apparmor event information
auditd.data.feedit
type: keyword
file assigned effective capability map
auditd.data.perm_maskedit
type: keyword
file permission mask that triggered a watch event
auditd.data.sesedit
type: keyword
login session ID
auditd.data.cap_fiedit
type: keyword
file inherited capability map
auditd.data.obj_uidedit
type: keyword
user ID of object
auditd.data.reasonedit
type: keyword
text string denoting a reason for the action
auditd.data.listedit
type: keyword
the audit system’s filter list number
auditd.data.old_lockedit
type: keyword
present value of feature lock
auditd.data.busedit
type: keyword
name of subsystem bus a vm resource belongs to
auditd.data.old_peedit
type: keyword
old process effective capability map
auditd.data.new-roleedit
type: keyword
new SELinux role
auditd.data.promedit
type: keyword
network promiscuity flag
auditd.data.uriedit
type: keyword
URI pointing to a printer
auditd.data.audit_enablededit
type: keyword
audit systems’s enable/disable status
auditd.data.old-log_passwdedit
type: keyword
present value for TTY password logging
auditd.data.old-seuseredit
type: keyword
present SELinux user
auditd.data.peredit
type: keyword
linux personality
auditd.data.scontextedit
type: keyword
the subject’s context string
auditd.data.tclassedit
type: keyword
target’s object classification
auditd.data.veredit
type: keyword
audit daemon’s version number
auditd.data.newedit
type: keyword
value being set in feature
auditd.data.valedit
type: keyword
generic value associated with the operation
auditd.data.img-ctxedit
type: keyword
the vm’s disk image context string
auditd.data.old-chardevedit
type: keyword
present character device assigned to vm
auditd.data.old_valedit
type: keyword
current value of SELinux boolean
auditd.data.successedit
type: keyword
whether the syscall was successful or not
auditd.data.inode_uidedit
type: keyword
user ID of the inode’s owner
auditd.data.removededit
type: keyword
number of deleted files
auditd.data.socket.portedit
type: keyword
The port number.
auditd.data.socket.saddredit
type: keyword
The raw socket address structure.
auditd.data.socket.addredit
type: keyword
The remote address.
auditd.data.socket.familyedit
type: keyword
example: unix
The socket family (unix, ipv4, ipv6, netlink).
auditd.data.socket.pathedit
type: keyword
This is the path associated with a unix socket.
auditd.messagesedit
type: text
An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if include_raw_message is set in the config.
auditd.warningsedit
type: keyword
The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
geoip fieldsedit
The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.
geoip.continent_nameedit
type: keyword
The name of the continent.
geoip.city_nameedit
type: keyword
The name of the city.
geoip.region_nameedit
type: keyword
The name of the region.
geoip.country_iso_codeedit
type: keyword
Country ISO code.
geoip.locationedit
type: geo_point
The longitude and latitude.