Common fields | Auditbeat Reference [6.2]

WARNING: Version 6.2 of Auditbeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

› ›

« Cloud provider metadata fields Docker fields »

Common fieldsedit

Contains common fields available in all event types.

`event.module`edit

The name of the module that generated the event.

`event.action`edit

type: keyword

example: logged-in

Action describes the change that triggered the event. For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change.

file fieldsedit

File attributes.

`file.path`edit

type: text

The path to the file.

`file.path.raw`edit

type: keyword

The path to the file. This is a non-analyzed field that is useful for aggregations.

`file.target_path`edit

type: keyword

The target path for symlinks.

`file.type`edit

type: keyword

The file type (file, dir, or symlink).

`file.device`edit

type: keyword

The device.

`file.inode`edit

type: keyword

The inode representing the file in the filesystem.

`file.uid`edit

type: keyword

The user ID (UID) or security identifier (SID) of the file owner.

`file.owner`edit

type: keyword

The file owner’s username.

`file.gid`edit

type: keyword

The primary group ID (GID) of the file.

`file.group`edit

type: keyword

The primary group name of the file.

`file.mode`edit

type: keyword

example: 416

The mode of the file in octal representation.

`file.setuid`edit

type: boolean

example: True

Set if the file has the setuid bit set. Omitted otherwise.

`file.setgid`edit

type: boolean

example: True

Set if the file has the setgid bit set. Omitted otherwise.

`file.size`edit

type: long

The file size in bytes (field is only added when type is file).

`file.mtime`edit

type: date

The last modified time of the file (time when content was modified).

`file.ctime`edit

type: date

The last change time of the file (time when metadata was changed).

`file.origin`edit

type: text

An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.

`file.origin.raw`edit

type: keyword

This is a non-analyzed field that is useful for aggregations on the origin data.

selinux fieldsedit

The SELinux identity of the file.

`file.selinux.user`edit

type: keyword

The owner of the object.

`file.selinux.role`edit

type: keyword

The object’s SELinux role.

`file.selinux.domain`edit

type: keyword

The object’s SELinux domain or type.

`file.selinux.level`edit

type: keyword

example: s0

The object’s SELinux level.

« Cloud provider metadata fields Docker fields »

Common fieldsedit

event.moduleedit

event.actionedit

file fieldsedit

file.pathedit

file.path.rawedit

file.target_pathedit

file.typeedit

file.deviceedit

file.inodeedit

file.uidedit

file.owneredit

file.gidedit

file.groupedit

file.modeedit

file.setuidedit

file.setgidedit

file.sizeedit

file.mtimeedit

file.ctimeedit

file.originedit

file.origin.rawedit

selinux fieldsedit

file.selinux.useredit

file.selinux.roleedit

file.selinux.domainedit

file.selinux.leveledit

`event.module`edit

`event.action`edit

`file.path`edit

`file.path.raw`edit

`file.target_path`edit

`file.type`edit

`file.device`edit

`file.inode`edit

`file.uid`edit

`file.owner`edit

`file.gid`edit

`file.group`edit

`file.mode`edit

`file.setuid`edit

`file.setgid`edit

`file.size`edit

`file.mtime`edit

`file.ctime`edit

`file.origin`edit

`file.origin.raw`edit

`file.selinux.user`edit

`file.selinux.role`edit

`file.selinux.domain`edit

`file.selinux.level`edit