WARNING: Version 5.5 of Filebeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Auditd Fieldsedit
Module for parsing auditd logs.
auditd Fieldsedit
Fields from the auditd logs.
log Fieldsedit
Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type.
auditd.log.record_typeedit
The audit event type.
auditd.log.old_auidedit
For login events this is the old audit ID used for the user prior to this login.
auditd.log.new_auidedit
For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
auditd.log.old_sesedit
For login events this is the old session ID used for the user prior to this login.
auditd.log.new_sesedit
For login events this is the new session ID. It can be used to tie a user to future events by session ID.
auditd.log.sequenceedit
type: long
The audit event sequence number.
auditd.log.acctedit
The user account name associated with the event.
auditd.log.pidedit
The ID of the process.
auditd.log.ppidedit
The ID of the process.
auditd.log.itemsedit
The number of items in an event.
auditd.log.itemedit
The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.
auditd.log.a0edit
The first argument to the system call.
auditd.log.resedit
The result of the system call (success or failure).
geoip Fieldsedit
Contains GeoIP information gathered based on the auditd.log.addr
field. Only present if the GeoIP Elasticsearch plugin is available and used.
auditd.log.geoip.continent_nameedit
type: keyword
The name of the continent.
auditd.log.geoip.city_nameedit
type: keyword
The name of the city.
auditd.log.geoip.region_nameedit
type: keyword
The name of the region.
auditd.log.geoip.country_iso_codeedit
type: keyword
Country ISO code.
auditd.log.geoip.locationedit
type: geo_point
The longitude and latitude.