- key: auditd title: Auditd description: These are the fields generated by the auditd module. fields: - name: event type: group fields: - name: category type: keyword example: audit-rule description: > The event's category is a value derived from the `record_type`. - name: type type: keyword description: The audit record's type. - name: user type: group fields: - name: auid type: keyword description: login user ID - name: uid type: keyword description: user ID - name: euid type: keyword description: effective user ID - name: fsuid type: keyword description: file system user ID - name: suid type: keyword description: sent user ID - name: gid type: keyword description: group ID - name: egid type: keyword description: effective group ID - name: sgid type: keyword description: set group ID - name: fsgid type: keyword description: file system group ID - name: name_map type: group description: > If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid -> root). fields: - name: auid type: keyword description: login user name - name: uid type: keyword description: user name - name: euid type: keyword description: effective user name - name: fsuid type: keyword description: file system user name - name: suid type: keyword description: sent user name - name: gid type: keyword description: group name - name: egid type: keyword description: effective group name - name: sgid type: keyword description: set group name - name: fsgid type: keyword description: file system group name - name: selinux type: group description: The SELinux identity of the actor. fields: - name: user type: keyword description: account submitted for authentication - name: role type: keyword description: user's SELinux role - name: domain type: keyword description: The actor's SELinux domain or type. - name: level type: keyword example: s0 description: The actor's SELinux level. - name: category type: keyword description: The actor's SELinux category or compartments. - name: process type: group description: Process attributes. fields: - name: pid type: keyword description: Process ID. - name: ppid type: keyword description: Parent process ID. - name: name type: keyword description: Process name (comm). - name: title type: keyword description: Process title or command line parameters (proctitle). - name: exe type: keyword description: Absolute path of the executable. - name: cwd type: keyword description: The current working directory. - name: args type: keyword description: The process arguments as a list. - name: source type: group description: Source that triggered the event. fields: - name: ip type: ip description: The remote address. - name: port type: keyword description: The port number. - name: hostname type: keyword description: Hostname of the source. - name: path type: keyword description: This is the path associated with a unix socket. - name: destination type: group description: Destination address that triggered the event. fields: - name: ip type: ip description: The remote address. - name: port type: keyword description: The port number. - name: hostname type: keyword description: Hostname of the source. - name: path type: keyword description: This is the path associated with a unix socket. - name: network.direction type: keyword description: Direction of the network traffic (`incoming` or `outgoing`). - name: auditd type: group fields: - name: sequence type: long description: > The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover. - name: session type: keyword description: > The session ID assigned to a login. All events related to a login session will have the same value. - name: result type: keyword example: success or fail description: The result of the audited operation (success/fail). - name: summary type: group fields: - name: actor type: group description: The actor is the user that triggered the audit event. fields: - name: primary type: keyword description: > The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account. - name: secondary type: keyword description: The secondary identity of the actor. This is typically the same as the primary, except for when the user has used `su`. - name: object type: group description: > This is the thing or object being acted upon in the event. fields: - name: type type: keyword description: > A description of the what the "thing" is (e.g. file, socket, user-session). - name: primary type: keyword description: "" - name: secondary type: keyword description: "" - name: how type: keyword description: > This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event. - name: paths type: group description: List of paths associated with the event. fields: - name: inode type: keyword description: inode number - name: dev type: keyword description: device name as found in /dev - name: obj_user type: keyword description: "" - name: obj_role type: keyword description: "" - name: obj_domain type: keyword description: "" - name: obj_level type: keyword description: "" - name: objtype type: keyword description: "" - name: ouid type: keyword description: file owner user ID - name: rdev type: keyword description: the device identifier (special files only) - name: nametype type: keyword description: kind of file operation being referenced - name: ogid type: keyword description: file owner group ID - name: item type: keyword description: which item is being recorded - name: mode type: keyword description: mode flags on a file - name: name type: keyword description: file name in avcs - name: data type: group description: The data from the audit messages. fields: - name: action type: keyword description: netfilter packet disposition - name: minor type: keyword description: device minor number - name: acct type: keyword description: a user's account name - name: addr type: keyword description: the remote address that the user is connecting from - name: cipher type: keyword description: name of crypto cipher selected - name: id type: keyword description: during account changes - name: entries type: keyword description: number of entries in the netfilter table - name: kind type: keyword description: server or client in crypto operation - name: ksize type: keyword description: key size for crypto operation - name: spid type: keyword description: sent process ID - name: arch type: keyword description: the elf architecture flags - name: argc type: keyword description: the number of arguments to an execve syscall - name: major type: keyword description: device major number - name: unit type: keyword description: systemd unit - name: table type: keyword description: netfilter table name - name: terminal type: keyword description: terminal name the user is running programs on - name: grantors type: keyword description: pam modules approving the action - name: direction type: keyword description: direction of crypto operation - name: op type: keyword description: the operation being performed that is audited - name: tty type: keyword description: tty udevice the user is running programs on - name: syscall type: keyword description: syscall number in effect when the event occurred - name: data type: keyword description: TTY text - name: family type: keyword description: netfilter protocol - name: mac type: keyword description: crypto MAC algorithm selected - name: pfs type: keyword description: perfect forward secrecy method - name: items type: keyword description: the number of path records in the event - name: a0 type: keyword description: "" - name: a1 type: keyword description: "" - name: a2 type: keyword description: "" - name: a3 type: keyword description: "" - name: hostname type: keyword description: the hostname that the user is connecting from - name: lport type: keyword description: local network port - name: rport type: keyword description: remote port number - name: exit type: keyword description: syscall exit code - name: fp type: keyword description: crypto key finger print - name: laddr type: keyword description: local network address - name: sport type: keyword description: local port number - name: capability type: keyword description: posix capabilities - name: nargs type: keyword description: the number of arguments to a socket call - name: new-enabled type: keyword description: new TTY audit enabled setting - name: audit_backlog_limit type: keyword description: audit system's backlog queue size - name: dir type: keyword description: directory name - name: cap_pe type: keyword description: process effective capability map - name: model type: keyword description: security model being used for virt - name: new_pp type: keyword description: new process permitted capability map - name: old-enabled type: keyword description: present TTY audit enabled setting - name: oauid type: keyword description: object's login user ID - name: old type: keyword description: old value - name: banners type: keyword description: banners used on printed page - name: feature type: keyword description: kernel feature being changed - name: vm-ctx type: keyword description: the vm's context string - name: opid type: keyword description: object's process ID - name: seperms type: keyword description: SELinux permissions being used - name: seresult type: keyword description: SELinux AVC decision granted/denied - name: new-rng type: keyword description: device name of rng being added from a vm - name: old-net type: keyword description: present MAC address assigned to vm - name: sigev_signo type: keyword description: signal number - name: ino type: keyword description: inode number - name: old_enforcing type: keyword description: old MAC enforcement status - name: old-vcpu type: keyword description: present number of CPU cores - name: range type: keyword description: user's SE Linux range - name: res type: keyword description: result of the audited operation(success/fail) - name: added type: keyword description: number of new files detected - name: fam type: keyword description: socket address family - name: nlnk-pid type: keyword description: pid of netlink packet sender - name: subj type: keyword description: lspp subject's context string - name: a[0-3] type: keyword description: the arguments to a syscall - name: cgroup type: keyword description: path to cgroup in sysfs - name: kernel type: keyword description: kernel's version number - name: ocomm type: keyword description: object's command line name - name: new-net type: keyword description: MAC address being assigned to vm - name: permissive type: keyword description: SELinux is in permissive mode - name: class type: keyword description: resource class assigned to vm - name: compat type: keyword description: is_compat_task result - name: fi type: keyword description: file assigned inherited capability map - name: changed type: keyword description: number of changed files - name: msg type: keyword description: the payload of the audit record - name: dport type: keyword description: remote port number - name: new-seuser type: keyword description: new SELinux user - name: invalid_context type: keyword description: SELinux context - name: dmac type: keyword description: remote MAC address - name: ipx-net type: keyword description: IPX network number - name: iuid type: keyword description: ipc object's user ID - name: macproto type: keyword description: ethernet packet type ID field - name: obj type: keyword description: lspp object context string - name: ipid type: keyword description: IP datagram fragment identifier - name: new-fs type: keyword description: file system being added to vm - name: vm-pid type: keyword description: vm's process ID - name: cap_pi type: keyword description: process inherited capability map - name: old-auid type: keyword description: previous auid value - name: oses type: keyword description: object's session ID - name: fd type: keyword description: file descriptor number - name: igid type: keyword description: ipc object's group ID - name: new-disk type: keyword description: disk being added to vm - name: parent type: keyword description: the inode number of the parent file - name: len type: keyword description: length - name: oflag type: keyword description: open syscall flags - name: uuid type: keyword description: a UUID - name: code type: keyword description: seccomp action code - name: nlnk-grp type: keyword description: netlink group number - name: cap_fp type: keyword description: file permitted capability map - name: new-mem type: keyword description: new amount of memory in KB - name: seperm type: keyword description: SELinux permission being decided on - name: enforcing type: keyword description: new MAC enforcement status - name: new-chardev type: keyword description: new character device being assigned to vm - name: old-rng type: keyword description: device name of rng being removed from a vm - name: outif type: keyword description: out interface number - name: cmd type: keyword description: command being executed - name: hook type: keyword description: netfilter hook that packet came from - name: new-level type: keyword description: new run level - name: sauid type: keyword description: sent login user ID - name: sig type: keyword description: signal number - name: audit_backlog_wait_time type: keyword description: audit system's backlog wait time - name: printer type: keyword description: printer name - name: old-mem type: keyword description: present amount of memory in KB - name: perm type: keyword description: the file permission being used - name: old_pi type: keyword description: old process inherited capability map - name: state type: keyword description: audit daemon configuration resulting state - name: format type: keyword description: audit log's format - name: new_gid type: keyword description: new group ID being assigned - name: tcontext type: keyword description: the target's or object's context string - name: maj type: keyword description: device major number - name: watch type: keyword description: file name in a watch record - name: device type: keyword description: device name - name: grp type: keyword description: group name - name: bool type: keyword description: name of SELinux boolean - name: icmp_type type: keyword description: type of icmp message - name: new_lock type: keyword description: new value of feature lock - name: old_prom type: keyword description: network promiscuity flag - name: acl type: keyword description: access mode of resource assigned to vm - name: ip type: keyword description: network address of a printer - name: new_pi type: keyword description: new process inherited capability map - name: default-context type: keyword description: default MAC context - name: inode_gid type: keyword description: group ID of the inode's owner - name: new-log_passwd type: keyword description: new value for TTY password logging - name: new_pe type: keyword description: new process effective capability map - name: selected-context type: keyword description: new MAC context assigned to session - name: cap_fver type: keyword description: file system capabilities version number - name: file type: keyword description: file name - name: net type: keyword description: network MAC address - name: virt type: keyword description: kind of virtualization being referenced - name: cap_pp type: keyword description: process permitted capability map - name: old-range type: keyword description: present SELinux range - name: resrc type: keyword description: resource being assigned - name: new-range type: keyword description: new SELinux range - name: obj_gid type: keyword description: group ID of object - name: proto type: keyword description: network protocol - name: old-disk type: keyword description: disk being removed from vm - name: audit_failure type: keyword description: audit system's failure mode - name: inif type: keyword description: in interface number - name: vm type: keyword description: virtual machine name - name: flags type: keyword description: mmap syscall flags - name: nlnk-fam type: keyword description: netlink protocol number - name: old-fs type: keyword description: file system being removed from vm - name: old-ses type: keyword description: previous ses value - name: seqno type: keyword description: sequence number - name: fver type: keyword description: file system capabilities version number - name: qbytes type: keyword description: ipc objects quantity of bytes - name: seuser type: keyword description: user's SE Linux user acct - name: cap_fe type: keyword description: file assigned effective capability map - name: new-vcpu type: keyword description: new number of CPU cores - name: old-level type: keyword description: old run level - name: old_pp type: keyword description: old process permitted capability map - name: daddr type: keyword description: remote IP address - name: old-role type: keyword description: present SELinux role - name: ioctlcmd type: keyword description: The request argument to the ioctl syscall - name: smac type: keyword description: local MAC address - name: apparmor type: keyword description: apparmor event information - name: fe type: keyword description: file assigned effective capability map - name: perm_mask type: keyword description: file permission mask that triggered a watch event - name: ses type: keyword description: login session ID - name: cap_fi type: keyword description: file inherited capability map - name: obj_uid type: keyword description: user ID of object - name: reason type: keyword description: text string denoting a reason for the action - name: list type: keyword description: the audit system's filter list number - name: old_lock type: keyword description: present value of feature lock - name: bus type: keyword description: name of subsystem bus a vm resource belongs to - name: old_pe type: keyword description: old process effective capability map - name: new-role type: keyword description: new SELinux role - name: prom type: keyword description: network promiscuity flag - name: uri type: keyword description: URI pointing to a printer - name: audit_enabled type: keyword description: audit systems's enable/disable status - name: old-log_passwd type: keyword description: present value for TTY password logging - name: old-seuser type: keyword description: present SELinux user - name: per type: keyword description: linux personality - name: scontext type: keyword description: the subject's context string - name: tclass type: keyword description: target's object classification - name: ver type: keyword description: audit daemon's version number - name: new type: keyword description: value being set in feature - name: val type: keyword description: generic value associated with the operation - name: img-ctx type: keyword description: the vm's disk image context string - name: old-chardev type: keyword description: present character device assigned to vm - name: old_val type: keyword description: current value of SELinux boolean - name: success type: keyword description: whether the syscall was successful or not - name: inode_uid type: keyword description: user ID of the inode's owner - name: removed type: keyword description: number of deleted files - name: socket type: group fields: - name: port type: keyword description: The port number. - name: saddr type: keyword description: The raw socket address structure. - name: addr type: keyword description: The remote address. - name: family type: keyword example: unix description: The socket family (unix, ipv4, ipv6, netlink). - name: path type: keyword description: This is the path associated with a unix socket. - name: messages type: text description: > An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if `include_raw_message` is set in the config. - name: warnings type: keyword description: > The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only. - name: geoip type: group description: > The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node. fields: - name: continent_name type: keyword description: > The name of the continent. - name: city_name type: keyword description: > The name of the city. - name: region_name type: keyword description: > The name of the region. - name: country_iso_code type: keyword description: > Country ISO code. - name: location type: geo_point description: > The longitude and latitude.