Audit fieldsedit

The audit module reports security-relevant information based on data captured from the operating system (OS) or services running on the OS.

audit fieldsedit

file fieldsedit

The file metricset generates events when a file changes on disk.

audit.file.pathedit

type: keyword

The path to the file.

audit.file.target_pathedit

type: keyword

The target path for symlinks.

audit.file.actionedit

type: keyword

example: attributes_modified

Action describes the change that triggered the event. The possible values are: attributes_modified, created, deleted, updated, moved, and config_change.

audit.file.typeedit

type: keyword

The file type (file, dir, or symlink).

audit.file.inodeedit

type: keyword

The inode representing the file in the filesystem.

audit.file.uidedit

type: keyword

The user ID (UID) of the file owner.

audit.file.owneredit

type: keyword

The file owner’s username.

audit.file.gidedit

type: keyword

The primary group ID (GID) of the file.

audit.file.groupedit

type: keyword

The primary group name of the file.

audit.file.sidedit

type: keyword

The security identifier (SID) of the file owner (Windows only).

audit.file.modeedit

type: keyword

example: 416

The mode of the file in octal representation.

audit.file.sizeedit

type: long

The file size in bytes (field is only added when type is file).

audit.file.mtimeedit

type: date

The last modified time of the file (time when content was modified).

audit.file.ctimeedit

type: date

The last change time of the file (time when metadata was changed).

audit.file.hashededit

type: boolean

Boolean indicating if the event includes any file hashes.

audit.file.md5edit

type: keyword

MD5 hash of the file.

audit.file.sha1edit

type: keyword

SHA1 hash of the file.

audit.file.sha224edit

type: keyword

SHA224 hash of the file.

audit.file.sha256edit

type: keyword

SHA256 hash of the file.

audit.file.sha384edit

type: keyword

SHA384 hash of the file.

audit.file.sha3_224edit

type: keyword

SHA3_224 hash of the file.

audit.file.sha3_256edit

type: keyword

SHA3_256 hash of the file.

audit.file.sha3_384edit

type: keyword

SHA3_384 hash of the file.

audit.file.sha3_512edit

type: keyword

SHA3_512 hash of the file.

audit.file.sha512edit

type: keyword

SHA512 hash of the file.

audit.file.sha512_224edit

type: keyword

SHA512/224 hash of the file.

audit.file.sha512_256edit

type: keyword

SHA512/256 hash of the file.

kernel fieldsedit

The kernel metricset distributes audit events received from the Linux Audit Framework that is a part of the Linux kernel.

audit.kernel.actionedit

type: keyword

example: logged-in

A description of the action taken by the user.

actor fieldsedit

The actor is the user that triggered the audit event.

attrs fieldsedit

Attributes of the actor.

audit.kernel.actor.attrs.auidedit

type: keyword

login user ID

audit.kernel.actor.attrs.uidedit

type: keyword

user ID

audit.kernel.actor.attrs.euidedit

type: keyword

effective user ID

audit.kernel.actor.attrs.fsuidedit

type: keyword

file system user ID

audit.kernel.actor.attrs.suidedit

type: keyword

sent user ID

audit.kernel.actor.attrs.gidedit

type: keyword

group ID

audit.kernel.actor.attrs.egidedit

type: keyword

effective group ID

audit.kernel.actor.attrs.sgidedit

type: keyword

set group ID

audit.kernel.actor.attrs.fsgidedit

type: keyword

file system group ID

audit.kernel.actor.primaryedit

type: keyword

The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.

audit.kernel.actor.secondaryedit

type: keyword

The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su.

selinux fieldsedit

The SELinux identity of the actor.

audit.kernel.actor.selinux.useredit

type: keyword

account submitted for authentication

audit.kernel.actor.selinux.roleedit

type: keyword

user’s SELinux role

audit.kernel.actor.selinux.domainedit

type: keyword

The actor’s SELinux domain or type.

audit.kernel.actor.selinux.leveledit

type: keyword

example: s0

The actor’s SELinux level.

audit.kernel.actor.selinux.categoryedit

type: keyword

The actor’s SELinux category or compartments.

audit.kernel.categoryedit

type: keyword

example: audit-rule

The event’s category is a value derived from the record_type.

audit.kernel.sequenceedit

type: long

The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.

audit.kernel.sessionedit

type: keyword

The session ID assigned to a login. All events related to a login session will have the same value.

paths fieldsedit

List of paths associated with the event.

audit.kernel.paths.inodeedit

type: keyword

inode number

audit.kernel.paths.devedit

type: keyword

device name as found in /dev

audit.kernel.paths.obj_useredit

type: keyword

audit.kernel.paths.obj_roleedit

type: keyword

audit.kernel.paths.obj_domainedit

type: keyword

audit.kernel.paths.obj_leveledit

type: keyword

audit.kernel.paths.objtypeedit

type: keyword

audit.kernel.paths.ouidedit

type: keyword

file owner user ID

audit.kernel.paths.rdevedit

type: keyword

the device identifier (special files only)

audit.kernel.paths.nametypeedit

type: keyword

kind of file operation being referenced

audit.kernel.paths.ogidedit

type: keyword

file owner group ID

audit.kernel.paths.itemedit

type: keyword

which item is being recorded

audit.kernel.paths.modeedit

type: keyword

mode flags on a file

audit.kernel.paths.nameedit

type: keyword

file name in avcs

audit.kernel.record_typeedit

type: keyword

The audit record’s type.

socket fieldsedit

Socket data from sockaddr messages.

audit.kernel.socket.portedit

type: keyword

The port number.

audit.kernel.socket.saddredit

type: keyword

The raw socket address structure.

audit.kernel.socket.addredit

type: keyword

The remote address.

audit.kernel.socket.familyedit

type: keyword

example: unix

The socket family (unix, ipv4, ipv6, netlink).

audit.kernel.socket.pathedit

type: keyword

This is the path associated with a unix socket.

thing fieldsedit

This is the thing or object being acted upon in the event.

audit.kernel.thing.whatedit

type: keyword

A description of the what the "thing" is (e.g. file, socket, user-session).

audit.kernel.thing.primaryedit

type: keyword

audit.kernel.thing.secondaryedit

type: keyword

selinux fieldsedit

The SELinux identity of the object.

audit.kernel.thing.selinux.useredit

type: keyword

The owner of the object.

audit.kernel.thing.selinux.roleedit

type: keyword

The object’s SELinux role.

audit.kernel.thing.selinux.domainedit

type: keyword

The object’s SELinux domain or type.

audit.kernel.thing.selinux.leveledit

type: keyword

example: s0

The object’s SELinux level.

audit.kernel.howedit

type: keyword

This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.

audit.kernel.keyedit

type: keyword

The key assigned to the audit rule that triggered the event.

audit.kernel.resultedit

type: keyword

example: success or fail

The result of the audited operation (success/fail).

data fieldsedit

The data from the audit messages.

audit.kernel.data.actionedit

type: keyword

netfilter packet disposition

audit.kernel.data.minoredit

type: keyword

device minor number

audit.kernel.data.acctedit

type: keyword

a user’s account name

audit.kernel.data.addredit

type: keyword

the remote address that the user is connecting from

audit.kernel.data.cipheredit

type: keyword

name of crypto cipher selected

audit.kernel.data.idedit

type: keyword

during account changes

audit.kernel.data.entriesedit

type: keyword

number of entries in the netfilter table

audit.kernel.data.kindedit

type: keyword

server or client in crypto operation

audit.kernel.data.ksizeedit

type: keyword

key size for crypto operation

audit.kernel.data.spidedit

type: keyword

sent process ID

audit.kernel.data.archedit

type: keyword

the elf architecture flags

audit.kernel.data.argcedit

type: keyword

the number of arguments to an execve syscall

audit.kernel.data.majoredit

type: keyword

device major number

audit.kernel.data.unitedit

type: keyword

systemd unit

audit.kernel.data.tableedit

type: keyword

netfilter table name

audit.kernel.data.terminaledit

type: keyword

terminal name the user is running programs on

audit.kernel.data.commedit

type: keyword

command line program name

audit.kernel.data.exeedit

type: keyword

executable name

audit.kernel.data.grantorsedit

type: keyword

pam modules approving the action

audit.kernel.data.pidedit

type: keyword

process ID

audit.kernel.data.directionedit

type: keyword

direction of crypto operation

audit.kernel.data.opedit

type: keyword

the operation being performed that is audited

audit.kernel.data.ttyedit

type: keyword

tty udevice the user is running programs on

audit.kernel.data.proctitleedit

type: keyword

process title and command line parameters

audit.kernel.data.syscalledit

type: keyword

syscall number in effect when the event occurred

audit.kernel.data.dataedit

type: keyword

TTY text

audit.kernel.data.familyedit

type: keyword

netfilter protocol

audit.kernel.data.macedit

type: keyword

crypto MAC algorithm selected

audit.kernel.data.pfsedit

type: keyword

perfect forward secrecy method

audit.kernel.data.itemsedit

type: keyword

the number of path records in the event

audit.kernel.data.a0edit

type: keyword

audit.kernel.data.a1edit

type: keyword

audit.kernel.data.a2edit

type: keyword

audit.kernel.data.a3edit

type: keyword

audit.kernel.data.cwdedit

type: keyword

the current working directory

audit.kernel.data.hostnameedit

type: keyword

the hostname that the user is connecting from

audit.kernel.data.lportedit

type: keyword

local network port

audit.kernel.data.ppidedit

type: keyword

parent process ID

audit.kernel.data.rportedit

type: keyword

remote port number

audit.kernel.data.cmdlineedit

type: keyword

The full command line from the execve message.

audit.kernel.data.exitedit

type: keyword

syscall exit code

audit.kernel.data.fpedit

type: keyword

crypto key finger print

audit.kernel.data.laddredit

type: keyword

local network address

audit.kernel.data.sportedit

type: keyword

local port number

audit.kernel.data.capabilityedit

type: keyword

posix capabilities

audit.kernel.data.nargsedit

type: keyword

the number of arguments to a socket call

audit.kernel.data.new-enablededit

type: keyword

new TTY audit enabled setting

audit.kernel.data.audit_backlog_limitedit

type: keyword

audit system’s backlog queue size

audit.kernel.data.diredit

type: keyword

directory name

audit.kernel.data.cap_peedit

type: keyword

process effective capability map

audit.kernel.data.modeledit

type: keyword

security model being used for virt

audit.kernel.data.new_ppedit

type: keyword

new process permitted capability map

audit.kernel.data.old-enablededit

type: keyword

present TTY audit enabled setting

audit.kernel.data.oauidedit

type: keyword

object’s login user ID

audit.kernel.data.oldedit

type: keyword

old value

audit.kernel.data.bannersedit

type: keyword

banners used on printed page

audit.kernel.data.featureedit

type: keyword

kernel feature being changed

audit.kernel.data.vm-ctxedit

type: keyword

the vm’s context string

audit.kernel.data.opidedit

type: keyword

object’s process ID

audit.kernel.data.sepermsedit

type: keyword

SELinux permissions being used

audit.kernel.data.seresultedit

type: keyword

SELinux AVC decision granted/denied

audit.kernel.data.new-rngedit

type: keyword

device name of rng being added from a vm

audit.kernel.data.old-netedit

type: keyword

present MAC address assigned to vm

audit.kernel.data.sigev_signoedit

type: keyword

signal number

audit.kernel.data.inoedit

type: keyword

inode number

audit.kernel.data.old_enforcingedit

type: keyword

old MAC enforcement status

audit.kernel.data.old-vcpuedit

type: keyword

present number of CPU cores

audit.kernel.data.rangeedit

type: keyword

user’s SE Linux range

audit.kernel.data.resedit

type: keyword

result of the audited operation(success/fail)

audit.kernel.data.addededit

type: keyword

number of new files detected

audit.kernel.data.famedit

type: keyword

socket address family

audit.kernel.data.nlnk-pidedit

type: keyword

pid of netlink packet sender

audit.kernel.data.subjedit

type: keyword

lspp subject’s context string

audit.kernel.data.a[0-3]edit

type: keyword

the arguments to a syscall

audit.kernel.data.cgroupedit

type: keyword

path to cgroup in sysfs

audit.kernel.data.kerneledit

type: keyword

kernel’s version number

audit.kernel.data.ocommedit

type: keyword

object’s command line name

audit.kernel.data.new-netedit

type: keyword

MAC address being assigned to vm

audit.kernel.data.permissiveedit

type: keyword

SELinux is in permissive mode

audit.kernel.data.classedit

type: keyword

resource class assigned to vm

audit.kernel.data.compatedit

type: keyword

is_compat_task result

audit.kernel.data.fiedit

type: keyword

file assigned inherited capability map

audit.kernel.data.changededit

type: keyword

number of changed files

audit.kernel.data.msgedit

type: keyword

the payload of the audit record

audit.kernel.data.dportedit

type: keyword

remote port number

audit.kernel.data.new-seuseredit

type: keyword

new SELinux user

audit.kernel.data.invalid_contextedit

type: keyword

SELinux context

audit.kernel.data.dmacedit

type: keyword

remote MAC address

audit.kernel.data.ipx-netedit

type: keyword

IPX network number

audit.kernel.data.iuidedit

type: keyword

ipc object’s user ID

audit.kernel.data.macprotoedit

type: keyword

ethernet packet type ID field

audit.kernel.data.objedit

type: keyword

lspp object context string

audit.kernel.data.a[[:digit:]+]\[.*]edit

type: keyword

the arguments to the execve syscall

audit.kernel.data.ipidedit

type: keyword

IP datagram fragment identifier

audit.kernel.data.new-fsedit

type: keyword

file system being added to vm

audit.kernel.data.vm-pidedit

type: keyword

vm’s process ID

audit.kernel.data.cap_piedit

type: keyword

process inherited capability map

audit.kernel.data.old-auidedit

type: keyword

previous auid value

audit.kernel.data.osesedit

type: keyword

object’s session ID

audit.kernel.data.fdedit

type: keyword

file descriptor number

audit.kernel.data.igidedit

type: keyword

ipc object’s group ID

audit.kernel.data.new-diskedit

type: keyword

disk being added to vm

audit.kernel.data.parentedit

type: keyword

the inode number of the parent file

audit.kernel.data.lenedit

type: keyword

length

audit.kernel.data.oflagedit

type: keyword

open syscall flags

audit.kernel.data.uuidedit

type: keyword

a UUID

audit.kernel.data.codeedit

type: keyword

seccomp action code

audit.kernel.data.nlnk-grpedit

type: keyword

netlink group number

audit.kernel.data.cap_fpedit

type: keyword

file permitted capability map

audit.kernel.data.new-memedit

type: keyword

new amount of memory in KB

audit.kernel.data.sepermedit

type: keyword

SELinux permission being decided on

audit.kernel.data.enforcingedit

type: keyword

new MAC enforcement status

audit.kernel.data.new-chardevedit

type: keyword

new character device being assigned to vm

audit.kernel.data.old-rngedit

type: keyword

device name of rng being removed from a vm

audit.kernel.data.outifedit

type: keyword

out interface number

audit.kernel.data.cmdedit

type: keyword

command being executed

audit.kernel.data.hookedit

type: keyword

netfilter hook that packet came from

audit.kernel.data.new-leveledit

type: keyword

new run level

audit.kernel.data.sauidedit

type: keyword

sent login user ID

audit.kernel.data.sigedit

type: keyword

signal number

audit.kernel.data.audit_backlog_wait_timeedit

type: keyword

audit system’s backlog wait time

audit.kernel.data.printeredit

type: keyword

printer name

audit.kernel.data.old-memedit

type: keyword

present amount of memory in KB

audit.kernel.data.permedit

type: keyword

the file permission being used

audit.kernel.data.old_piedit

type: keyword

old process inherited capability map

audit.kernel.data.stateedit

type: keyword

audit daemon configuration resulting state

audit.kernel.data.formatedit

type: keyword

audit log’s format

audit.kernel.data.new_gidedit

type: keyword

new group ID being assigned

audit.kernel.data.tcontextedit

type: keyword

the target’s or object’s context string

audit.kernel.data.majedit

type: keyword

device major number

audit.kernel.data.watchedit

type: keyword

file name in a watch record

audit.kernel.data.deviceedit

type: keyword

device name

audit.kernel.data.grpedit

type: keyword

group name

audit.kernel.data.booledit

type: keyword

name of SELinux boolean

audit.kernel.data.icmp_typeedit

type: keyword

type of icmp message

audit.kernel.data.new_lockedit

type: keyword

new value of feature lock

audit.kernel.data.old_promedit

type: keyword

network promiscuity flag

audit.kernel.data.acledit

type: keyword

access mode of resource assigned to vm

audit.kernel.data.ipedit

type: keyword

network address of a printer

audit.kernel.data.new_piedit

type: keyword

new process inherited capability map

audit.kernel.data.default-contextedit

type: keyword

default MAC context

audit.kernel.data.inode_gidedit

type: keyword

group ID of the inode’s owner

audit.kernel.data.new-log_passwdedit

type: keyword

new value for TTY password logging

audit.kernel.data.new_peedit

type: keyword

new process effective capability map

audit.kernel.data.selected-contextedit

type: keyword

new MAC context assigned to session

audit.kernel.data.cap_fveredit

type: keyword

file system capabilities version number

audit.kernel.data.fileedit

type: keyword

file name

audit.kernel.data.netedit

type: keyword

network MAC address

audit.kernel.data.virtedit

type: keyword

kind of virtualization being referenced

audit.kernel.data.cap_ppedit

type: keyword

process permitted capability map

audit.kernel.data.old-rangeedit

type: keyword

present SELinux range

audit.kernel.data.resrcedit

type: keyword

resource being assigned

audit.kernel.data.new-rangeedit

type: keyword

new SELinux range

audit.kernel.data.obj_gidedit

type: keyword

group ID of object

audit.kernel.data.protoedit

type: keyword

network protocol

audit.kernel.data.old-diskedit

type: keyword

disk being removed from vm

audit.kernel.data.audit_failureedit

type: keyword

audit system’s failure mode

audit.kernel.data.inifedit

type: keyword

in interface number

audit.kernel.data.vmedit

type: keyword

virtual machine name

audit.kernel.data.flagsedit

type: keyword

mmap syscall flags

audit.kernel.data.nlnk-famedit

type: keyword

netlink protocol number

audit.kernel.data.old-fsedit

type: keyword

file system being removed from vm

audit.kernel.data.old-sesedit

type: keyword

previous ses value

audit.kernel.data.seqnoedit

type: keyword

sequence number

audit.kernel.data.fveredit

type: keyword

file system capabilities version number

audit.kernel.data.qbytesedit

type: keyword

ipc objects quantity of bytes

audit.kernel.data.seuseredit

type: keyword

user’s SE Linux user acct

audit.kernel.data.cap_feedit

type: keyword

file assigned effective capability map

audit.kernel.data.new-vcpuedit

type: keyword

new number of CPU cores

audit.kernel.data.old-leveledit

type: keyword

old run level

audit.kernel.data.old_ppedit

type: keyword

old process permitted capability map

audit.kernel.data.daddredit

type: keyword

remote IP address

audit.kernel.data.old-roleedit

type: keyword

present SELinux role

audit.kernel.data.ioctlcmdedit

type: keyword

The request argument to the ioctl syscall

audit.kernel.data.smacedit

type: keyword

local MAC address

audit.kernel.data.apparmoredit

type: keyword

apparmor event information

audit.kernel.data.feedit

type: keyword

file assigned effective capability map

audit.kernel.data.perm_maskedit

type: keyword

file permission mask that triggered a watch event

audit.kernel.data.sesedit

type: keyword

login session ID

audit.kernel.data.cap_fiedit

type: keyword

file inherited capability map

audit.kernel.data.obj_uidedit

type: keyword

user ID of object

audit.kernel.data.reasonedit

type: keyword

text string denoting a reason for the action

audit.kernel.data.listedit

type: keyword

the audit system’s filter list number

audit.kernel.data.old_lockedit

type: keyword

present value of feature lock

audit.kernel.data.busedit

type: keyword

name of subsystem bus a vm resource belongs to

audit.kernel.data.old_peedit

type: keyword

old process effective capability map

audit.kernel.data.new-roleedit

type: keyword

new SELinux role

audit.kernel.data.promedit

type: keyword

network promiscuity flag

audit.kernel.data.uriedit

type: keyword

URI pointing to a printer

audit.kernel.data.audit_enablededit

type: keyword

audit systems’s enable/disable status

audit.kernel.data.old-log_passwdedit

type: keyword

present value for TTY password logging

audit.kernel.data.old-seuseredit

type: keyword

present SELinux user

audit.kernel.data.peredit

type: keyword

linux personality

audit.kernel.data.scontextedit

type: keyword

the subject’s context string

audit.kernel.data.tclassedit

type: keyword

target’s object classification

audit.kernel.data.veredit

type: keyword

audit daemon’s version number

audit.kernel.data.newedit

type: keyword

value being set in feature

audit.kernel.data.valedit

type: keyword

generic value associated with the operation

audit.kernel.data.img-ctxedit

type: keyword

the vm’s disk image context string

audit.kernel.data.old-chardevedit

type: keyword

present character device assigned to vm

audit.kernel.data.old_valedit

type: keyword

current value of SELinux boolean

audit.kernel.data.successedit

type: keyword

whether the syscall was successful or not

audit.kernel.data.inode_uidedit

type: keyword

user ID of the inode’s owner

audit.kernel.data.removededit

type: keyword

number of deleted files

audit.kernel.messagesedit

type: text

An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if kernel.include_raw_message is set in the config.

audit.kernel.warningsedit

type: keyword

The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.

geoip fieldsedit

Contains GeoIP information gathered based on the os_events.audit.addr field. Only present if the GeoIP Elasticsearch plugin is available and used.

audit.kernel.geoip.continent_nameedit

type: keyword

The name of the continent.

audit.kernel.geoip.city_nameedit

type: keyword

The name of the city.

audit.kernel.geoip.region_nameedit

type: keyword

The name of the region.

audit.kernel.geoip.country_iso_codeedit

type: keyword

Country ISO code.

audit.kernel.geoip.locationedit

type: geo_point

The longitude and latitude.