System fields

These are the fields generated by the system module.

system.audit fields

host fields

host contains general host information.

system.audit.host.uptime

type: long

Uptime in nanoseconds.

system.audit.host.boottime

type: date

Boot time.

system.audit.host.containerized

type: boolean

Set if host is a container.

system.audit.host.timezone.name

type: keyword

Name of the timezone of the host, e.g. BST.

system.audit.host.timezone.offset.sec

type: long

Timezone offset in seconds.

system.audit.host.hostname

type: keyword

Hostname.

system.audit.host.id

type: keyword

Host ID.

system.audit.host.architecture

type: keyword

Host architecture (e.g. x86_64).

system.audit.host.mac

type: keyword

MAC addresses.

system.audit.host.ip

type: ip

IP addresses.

os fields

os contains information about the operating system.

system.audit.host.os.platform

type: keyword

OS platform (e.g. centos, ubuntu, windows).

system.audit.host.os.name

type: keyword

OS name (e.g. Mac OS X).

system.audit.host.os.family

type: keyword

OS family (e.g. redhat, debian, freebsd, windows).

system.audit.host.os.version

type: keyword

OS version.

system.audit.host.os.kernel

type: keyword

The operating system’s kernel version.

user fields

user contains information about the users on a system.

system.audit.user.name

type: keyword

User name.

system.audit.user.uid

type: keyword

User ID.

system.audit.user.gid

type: keyword

Group ID.

system.audit.user.dir

type: keyword

User’s home directory.

system.audit.user.shell

type: keyword

Program to run at login.

system.audit.user.user_information

type: text

General user information. On Linux, this is the gecos field.

system.audit.user.group

type: object

group contains information about any groups the user is part of (beyond the user’s primary group).

password fields

password contains information about a user’s password (not the password itself).

system.audit.user.password.type

type: keyword

A user’s password type. Possible values are shadow_password (the password hash is in the shadow file), password_disabled, no_password (this is dangerous as anyone can log in), and crypt_password (when the password field in /etc/passwd seems to contain an encrypted password).

system.audit.user.password.last_changed

type: date

The day the user’s password was last changed.