Auditd fieldsedit

Module for parsing auditd logs.

auditd fieldsedit

Fields from the auditd logs.

log fieldsedit

Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type.

auditd.log.record_type
The audit event type.
auditd.log.old_auid
For login events this is the old audit ID used for the user prior to this login.
auditd.log.new_auid
For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
auditd.log.old_ses
For login events this is the old session ID used for the user prior to this login.
auditd.log.new_ses
For login events this is the new session ID. It can be used to tie a user to future events by session ID.
auditd.log.sequence

type: long

The audit event sequence number.

auditd.log.acct
The user account name associated with the event.
auditd.log.pid
The ID of the process.
auditd.log.ppid
The ID of the process.
auditd.log.items
The number of items in an event.
auditd.log.item
The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.
auditd.log.a0
The first argument to the system call.
auditd.log.res
The result of the system call (success or failure).

geoip fieldsedit

Contains GeoIP information gathered based on the auditd.log.addr field. Only present if the GeoIP Elasticsearch plugin is available and used.

auditd.log.geoip.continent_name

type: keyword

The name of the continent.

auditd.log.geoip.city_name

type: keyword

The name of the city.

auditd.log.geoip.region_name

type: keyword

The name of the region.

auditd.log.geoip.country_iso_code

type: keyword

Country ISO code.

auditd.log.geoip.location

type: geo_point

The longitude and latitude.

auditd.log.geoip.region_iso_code

type: keyword

Region ISO code.