gaugendre/youtubebeat
1
0
Fork 0
Code Issues Pull requests Releases Activity
youtubebeat/vendor/github.com/elastic/beats/auditbeat/module/auditd/_meta/fields.yml

920 lines
27 KiB
YAML
Raw Blame History

- key: auditd
title: Auditd
description: These are the fields generated by the auditd module.
fields:
- name: event
type: group
fields:
- name: category
type: keyword
example: audit-rule
description: >
The event's category is a value derived from the `record_type`.
- name: type
type: keyword
description: The audit record's type.
- name: user
type: group
fields:
- name: auid
type: keyword
description: login user ID
- name: uid
type: keyword
description: user ID
- name: euid
type: keyword
description: effective user ID
- name: fsuid
type: keyword
description: file system user ID
- name: suid
type: keyword
description: sent user ID
- name: gid
type: keyword
description: group ID
- name: egid
type: keyword
description: effective group ID
- name: sgid
type: keyword
description: set group ID
- name: fsgid
type: keyword
description: file system group ID
- name: name_map
type: group
description: >
If `resolve_ids` is set to true in the configuration then `name_map`
will contain a mapping of uid field names to the resolved name
(e.g. auid -> root).
fields:
- name: auid
type: keyword
description: login user name
- name: uid
type: keyword
description: user name
- name: euid
type: keyword
description: effective user name
- name: fsuid
type: keyword
description: file system user name
- name: suid
type: keyword
description: sent user name
- name: gid
type: keyword
description: group name
- name: egid
type: keyword
description: effective group name
- name: sgid
type: keyword
description: set group name
- name: fsgid
type: keyword
description: file system group name
- name: selinux
type: group
description: The SELinux identity of the actor.
fields:
- name: user
type: keyword
description: account submitted for authentication
- name: role
type: keyword
description: user's SELinux role
- name: domain
type: keyword
description: The actor's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The actor's SELinux level.
- name: category
type: keyword
description: The actor's SELinux category or compartments.
- name: process
type: group
description: Process attributes.
fields:
- name: pid
type: keyword
description: Process ID.
- name: ppid
type: keyword
description: Parent process ID.
- name: name
type: keyword
description: Process name (comm).
- name: title
type: keyword
description: Process title or command line parameters (proctitle).
- name: exe
type: keyword
description: Absolute path of the executable.
- name: cwd
type: keyword
description: The current working directory.
- name: args
type: keyword
description: The process arguments as a list.
- name: source
type: group
description: Source that triggered the event.
fields:
- name: ip
type: ip
description: The remote address.
- name: port
type: keyword
description: The port number.
- name: hostname
type: keyword
description: Hostname of the source.
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: destination
type: group
description: Destination address that triggered the event.
fields:
- name: ip
type: ip
description: The remote address.
- name: port
type: keyword
description: The port number.
- name: hostname
type: keyword
description: Hostname of the source.
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: network.direction
type: keyword
description: Direction of the network traffic (`incoming` or `outgoing`).
- name: auditd
type: group
fields:
- name: sequence
type: long
description: >
The sequence number of the event as assigned by the kernel. Sequence
numbers are stored as a uint32 in the kernel and can rollover.
- name: session
type: keyword
description: >
The session ID assigned to a login. All events related to a login
session will have the same value.
- name: result
type: keyword
example: success or fail
description: The result of the audited operation (success/fail).
- name: summary
type: group
fields:
- name: actor
type: group
description: The actor is the user that triggered the audit event.
fields:
- name: primary
type: keyword
description: >
The primary identity of the actor. This is the actor's original login
ID. It will not change even if the user changes to another account.
- name: secondary
type: keyword
description: The secondary identity of the actor. This is typically
the same as the primary, except for when the user has used `su`.
- name: object
type: group
description: >
This is the thing or object being acted upon in the event.
fields:
- name: type
type: keyword
description: >
A description of the what the "thing" is (e.g. file, socket,
user-session).
- name: primary
type: keyword
description: ""
- name: secondary
type: keyword
description: ""
- name: how
type: keyword
description: >
This describes how the action was performed. Usually this is the exe
or command that was being executed that triggered the event.
- name: paths
type: group
description: List of paths associated with the event.
fields:
- name: inode
type: keyword
description: inode number
- name: dev
type: keyword
description: device name as found in /dev
- name: obj_user
type: keyword
description: ""
- name: obj_role
type: keyword
description: ""
- name: obj_domain
type: keyword
description: ""
- name: obj_level
type: keyword
description: ""
- name: objtype
type: keyword
description: ""
- name: ouid
type: keyword
description: file owner user ID
- name: rdev
type: keyword
description: the device identifier (special files only)
- name: nametype
type: keyword
description: kind of file operation being referenced
- name: ogid
type: keyword
description: file owner group ID
- name: item
type: keyword
description: which item is being recorded
- name: mode
type: keyword
description: mode flags on a file
- name: name
type: keyword
description: file name in avcs
- name: data
type: group
description: The data from the audit messages.
fields:
- name: action
type: keyword
description: netfilter packet disposition
- name: minor
type: keyword
description: device minor number
- name: acct
type: keyword
description: a user's account name
- name: addr
type: keyword
description: the remote address that the user is connecting from
- name: cipher
type: keyword
description: name of crypto cipher selected
- name: id
type: keyword
description: during account changes
- name: entries
type: keyword
description: number of entries in the netfilter table
- name: kind
type: keyword
description: server or client in crypto operation
- name: ksize
type: keyword
description: key size for crypto operation
- name: spid
type: keyword
description: sent process ID
- name: arch
type: keyword
description: the elf architecture flags
- name: argc
type: keyword
description: the number of arguments to an execve syscall
- name: major
type: keyword
description: device major number
- name: unit
type: keyword
description: systemd unit
- name: table
type: keyword
description: netfilter table name
- name: terminal
type: keyword
description: terminal name the user is running programs on
- name: grantors
type: keyword
description: pam modules approving the action
- name: direction
type: keyword
description: direction of crypto operation
- name: op
type: keyword
description: the operation being performed that is audited
- name: tty
type: keyword
description: tty udevice the user is running programs on
- name: syscall
type: keyword
description: syscall number in effect when the event occurred
- name: data
type: keyword
description: TTY text
- name: family
type: keyword
description: netfilter protocol
- name: mac
type: keyword
description: crypto MAC algorithm selected
- name: pfs
type: keyword
description: perfect forward secrecy method
- name: items
type: keyword
description: the number of path records in the event
- name: a0
type: keyword
description: ""
- name: a1
type: keyword
description: ""
- name: a2
type: keyword
description: ""
- name: a3
type: keyword
description: ""
- name: hostname
type: keyword
description: the hostname that the user is connecting from
- name: lport
type: keyword
description: local network port
- name: rport
type: keyword
description: remote port number
- name: exit
type: keyword
description: syscall exit code
- name: fp
type: keyword
description: crypto key finger print
- name: laddr
type: keyword
description: local network address
- name: sport
type: keyword
description: local port number
- name: capability
type: keyword
description: posix capabilities
- name: nargs
type: keyword
description: the number of arguments to a socket call
- name: new-enabled
type: keyword
description: new TTY audit enabled setting
- name: audit_backlog_limit
type: keyword
description: audit system's backlog queue size
- name: dir
type: keyword
description: directory name
- name: cap_pe
type: keyword
description: process effective capability map
- name: model
type: keyword
description: security model being used for virt
- name: new_pp
type: keyword
description: new process permitted capability map
- name: old-enabled
type: keyword
description: present TTY audit enabled setting
- name: oauid
type: keyword
description: object's login user ID
- name: old
type: keyword
description: old value
- name: banners
type: keyword
description: banners used on printed page
- name: feature
type: keyword
description: kernel feature being changed
- name: vm-ctx
type: keyword
description: the vm's context string
- name: opid
type: keyword
description: object's process ID
- name: seperms
type: keyword
description: SELinux permissions being used
- name: seresult
type: keyword
description: SELinux AVC decision granted/denied
- name: new-rng
type: keyword
description: device name of rng being added from a vm
- name: old-net
type: keyword
description: present MAC address assigned to vm
- name: sigev_signo
type: keyword
description: signal number
- name: ino
type: keyword
description: inode number
- name: old_enforcing
type: keyword
description: old MAC enforcement status
- name: old-vcpu
type: keyword
description: present number of CPU cores
- name: range
type: keyword
description: user's SE Linux range
- name: res
type: keyword
description: result of the audited operation(success/fail)
- name: added
type: keyword
description: number of new files detected
- name: fam
type: keyword
description: socket address family
- name: nlnk-pid
type: keyword
description: pid of netlink packet sender
- name: subj
type: keyword
description: lspp subject's context string
- name: a[0-3]
type: keyword
description: the arguments to a syscall
- name: cgroup
type: keyword
description: path to cgroup in sysfs
- name: kernel
type: keyword
description: kernel's version number
- name: ocomm
type: keyword
description: object's command line name
- name: new-net
type: keyword
description: MAC address being assigned to vm
- name: permissive
type: keyword
description: SELinux is in permissive mode
- name: class
type: keyword
description: resource class assigned to vm
- name: compat
type: keyword
description: is_compat_task result
- name: fi
type: keyword
description: file assigned inherited capability map
- name: changed
type: keyword
description: number of changed files
- name: msg
type: keyword
description: the payload of the audit record
- name: dport
type: keyword
description: remote port number
- name: new-seuser
type: keyword
description: new SELinux user
- name: invalid_context
type: keyword
description: SELinux context
- name: dmac
type: keyword
description: remote MAC address
- name: ipx-net
type: keyword
description: IPX network number
- name: iuid
type: keyword
description: ipc object's user ID
- name: macproto
type: keyword
description: ethernet packet type ID field
- name: obj
type: keyword
description: lspp object context string
- name: ipid
type: keyword
description: IP datagram fragment identifier
- name: new-fs
type: keyword
description: file system being added to vm
- name: vm-pid
type: keyword
description: vm's process ID
- name: cap_pi
type: keyword
description: process inherited capability map
- name: old-auid
type: keyword
description: previous auid value
- name: oses
type: keyword
description: object's session ID
- name: fd
type: keyword
description: file descriptor number
- name: igid
type: keyword
description: ipc object's group ID
- name: new-disk
type: keyword
description: disk being added to vm
- name: parent
type: keyword
description: the inode number of the parent file
- name: len
type: keyword
description: length
- name: oflag
type: keyword
description: open syscall flags
- name: uuid
type: keyword
description: a UUID
- name: code
type: keyword
description: seccomp action code
- name: nlnk-grp
type: keyword
description: netlink group number
- name: cap_fp
type: keyword
description: file permitted capability map
- name: new-mem
type: keyword
description: new amount of memory in KB
- name: seperm
type: keyword
description: SELinux permission being decided on
- name: enforcing
type: keyword
description: new MAC enforcement status
- name: new-chardev
type: keyword
description: new character device being assigned to vm
- name: old-rng
type: keyword
description: device name of rng being removed from a vm
- name: outif
type: keyword
description: out interface number
- name: cmd
type: keyword
description: command being executed
- name: hook
type: keyword
description: netfilter hook that packet came from
- name: new-level
type: keyword
description: new run level
- name: sauid
type: keyword
description: sent login user ID
- name: sig
type: keyword
description: signal number
- name: audit_backlog_wait_time
type: keyword
description: audit system's backlog wait time
- name: printer
type: keyword
description: printer name
- name: old-mem
type: keyword
description: present amount of memory in KB
- name: perm
type: keyword
description: the file permission being used
- name: old_pi
type: keyword
description: old process inherited capability map
- name: state
type: keyword
description: audit daemon configuration resulting state
- name: format
type: keyword
description: audit log's format
- name: new_gid
type: keyword
description: new group ID being assigned
- name: tcontext
type: keyword
description: the target's or object's context string
- name: maj
type: keyword
description: device major number
- name: watch
type: keyword
description: file name in a watch record
- name: device
type: keyword
description: device name
- name: grp
type: keyword
description: group name
- name: bool
type: keyword
description: name of SELinux boolean
- name: icmp_type
type: keyword
description: type of icmp message
- name: new_lock
type: keyword
description: new value of feature lock
- name: old_prom
type: keyword
description: network promiscuity flag
- name: acl
type: keyword
description: access mode of resource assigned to vm
- name: ip
type: keyword
description: network address of a printer
- name: new_pi
type: keyword
description: new process inherited capability map
- name: default-context
type: keyword
description: default MAC context
- name: inode_gid
type: keyword
description: group ID of the inode's owner
- name: new-log_passwd
type: keyword
description: new value for TTY password logging
- name: new_pe
type: keyword
description: new process effective capability map
- name: selected-context
type: keyword
description: new MAC context assigned to session
- name: cap_fver
type: keyword
description: file system capabilities version number
- name: file
type: keyword
description: file name
- name: net
type: keyword
description: network MAC address
- name: virt
type: keyword
description: kind of virtualization being referenced
- name: cap_pp
type: keyword
description: process permitted capability map
- name: old-range
type: keyword
description: present SELinux range
- name: resrc
type: keyword
description: resource being assigned
- name: new-range
type: keyword
description: new SELinux range
- name: obj_gid
type: keyword
description: group ID of object
- name: proto
type: keyword
description: network protocol
- name: old-disk
type: keyword
description: disk being removed from vm
- name: audit_failure
type: keyword
description: audit system's failure mode
- name: inif
type: keyword
description: in interface number
- name: vm
type: keyword
description: virtual machine name
- name: flags
type: keyword
description: mmap syscall flags
- name: nlnk-fam
type: keyword
description: netlink protocol number
- name: old-fs
type: keyword
description: file system being removed from vm
- name: old-ses
type: keyword
description: previous ses value
- name: seqno
type: keyword
description: sequence number
- name: fver
type: keyword
description: file system capabilities version number
- name: qbytes
type: keyword
description: ipc objects quantity of bytes
- name: seuser
type: keyword
description: user's SE Linux user acct
- name: cap_fe
type: keyword
description: file assigned effective capability map
- name: new-vcpu
type: keyword
description: new number of CPU cores
- name: old-level
type: keyword
description: old run level
- name: old_pp
type: keyword
description: old process permitted capability map
- name: daddr
type: keyword
description: remote IP address
- name: old-role
type: keyword
description: present SELinux role
- name: ioctlcmd
type: keyword
description: The request argument to the ioctl syscall
- name: smac
type: keyword
description: local MAC address
- name: apparmor
type: keyword
description: apparmor event information
- name: fe
type: keyword
description: file assigned effective capability map
- name: perm_mask
type: keyword
description: file permission mask that triggered a watch event
- name: ses
type: keyword
description: login session ID
- name: cap_fi
type: keyword
description: file inherited capability map
- name: obj_uid
type: keyword
description: user ID of object
- name: reason
type: keyword
description: text string denoting a reason for the action
- name: list
type: keyword
description: the audit system's filter list number
- name: old_lock
type: keyword
description: present value of feature lock
- name: bus
type: keyword
description: name of subsystem bus a vm resource belongs to
- name: old_pe
type: keyword
description: old process effective capability map
- name: new-role
type: keyword
description: new SELinux role
- name: prom
type: keyword
description: network promiscuity flag
- name: uri
type: keyword
description: URI pointing to a printer
- name: audit_enabled
type: keyword
description: audit systems's enable/disable status
- name: old-log_passwd
type: keyword
description: present value for TTY password logging
- name: old-seuser
type: keyword
description: present SELinux user
- name: per
type: keyword
description: linux personality
- name: scontext
type: keyword
description: the subject's context string
- name: tclass
type: keyword
description: target's object classification
- name: ver
type: keyword
description: audit daemon's version number
- name: new
type: keyword
description: value being set in feature
- name: val
type: keyword
description: generic value associated with the operation
- name: img-ctx
type: keyword
description: the vm's disk image context string
- name: old-chardev
type: keyword
description: present character device assigned to vm
- name: old_val
type: keyword
description: current value of SELinux boolean
- name: success
type: keyword
description: whether the syscall was successful or not
- name: inode_uid
type: keyword
description: user ID of the inode's owner
- name: removed
type: keyword
description: number of deleted files
- name: socket
type: group
fields:
- name: port
type: keyword
description: The port number.
- name: saddr
type: keyword
description: The raw socket address structure.
- name: addr
type: keyword
description: The remote address.
- name: family
type: keyword
example: unix
description: The socket family (unix, ipv4, ipv6, netlink).
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: messages
type: text
description: >
An ordered list of the raw messages received from the kernel that
were used to construct this document. This field is present if an error
occurred processing the data or if `include_raw_message` is set
in the config.
- name: warnings
type: keyword
description: >
The warnings generated by the Beat during the construction of the event.
These are disabled by default and are used for development and debug
purposes only.
- name: geoip
type: group
description: >
The geoip fields are defined as a convenience in case you decide to
enrich the data using a geoip filter in Logstash or Ingest Node.
fields:
- name: continent_name
type: keyword
description: >
The name of the continent.
- name: city_name
type: keyword
description: >
The name of the city.
- name: region_name
type: keyword
description: >
The name of the region.
- name: country_iso_code
type: keyword
description: >
Country ISO code.
- name: location
type: geo_point
description: >
The longitude and latitude.
Reference in a new issue View git blame Copy permalink