IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Auditbeat Reference [7.1] Exported fields
« Cloud provider metadata fields Docker fields »

Common fieldsedit

Contains common fields available in all event types.

file fieldsedit

File attributes.

file.setuid

type: boolean

example: True

Set if the file has the setuid bit set. Omitted otherwise.

file.setgid

type: boolean

example: True

Set if the file has the setgid bit set. Omitted otherwise.

file.origin

type: keyword

An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.

file.origin.raw

type: keyword

This is a non-analyzed field that is useful for aggregations on the origin data.

selinux fieldsedit

The SELinux identity of the file.

file.selinux.user

type: keyword

The owner of the object.

file.selinux.role

type: keyword

The object’s SELinux role.

file.selinux.domain

type: keyword

The object’s SELinux domain or type.

file.selinux.level

type: keyword

example: s0

The object’s SELinux level.

user fieldsedit

User information.

audit fieldsedit

Audit user information.

user.audit.id

type: keyword

Audit user ID.

user.audit.name

type: keyword

Audit user name.

effective fieldsedit

Effective user information.

user.effective.id

type: keyword

Effective user ID.

user.effective.name

type: keyword

Effective user name.

group fieldsedit

Effective group information.

user.effective.group.id

type: keyword

Effective group ID.

user.effective.group.name

type: keyword

Effective group name.

filesystem fieldsedit

Filesystem user information.

user.filesystem.id

type: keyword

Filesystem user ID.

user.filesystem.name

type: keyword

Filesystem user name.

group fieldsedit

Filesystem group information.

user.filesystem.group.id

type: keyword

Filesystem group ID.

user.filesystem.group.name

type: keyword

Filesystem group name.

saved fieldsedit

Saved user information.

user.saved.id

type: keyword

Saved user ID.

user.saved.name

type: keyword

Saved user name.

group fieldsedit

Saved group information.

user.saved.group.id

type: keyword

Saved group ID.

user.saved.group.name

type: keyword

Saved group name.

« Cloud provider metadata fields Docker fields »