Auditd fields
These are the fields generated by the auditd module.
user.auid- type: alias
alias to: user.audit.id
user.uid- type: alias
alias to: user.id
user.fsuid- type: alias
alias to: user.filesystem.id
user.suid- type: alias
alias to: user.saved.id
user.gid- type: alias
alias to: user.group.id
user.sgid- type: alias
alias to: user.saved.group.id
user.fsgid- type: alias
alias to: user.filesystem.group.id
If resolve_ids is set to true in the configuration then name_map will contain a mapping of uid field names to the resolved name (e.g. auid → root).
user.name_map.auid- type: alias
alias to: user.audit.name
user.name_map.uid- type: alias
alias to: user.name
user.name_map.fsuid- type: alias
alias to: user.filesystem.name
user.name_map.suid- type: alias
alias to: user.saved.name
user.name_map.gid- type: alias
alias to: user.group.name
user.name_map.sgid- type: alias
alias to: user.saved.group.name
user.name_map.fsgid- type: alias
alias to: user.filesystem.group.name
The SELinux identity of the actor.
user.selinux.user- account submitted for authentication
type: keyword
user.selinux.role- user’s SELinux role
type: keyword
user.selinux.domain- The actor’s SELinux domain or type.
type: keyword
user.selinux.level- The actor’s SELinux level.
type: keyword
example: s0
user.selinux.category- The actor’s SELinux category or compartments.
type: keyword
Process attributes.
process.cwd- The current working directory.
type: alias
alias to: process.working_directory
Source that triggered the event.
source.path- This is the path associated with a unix socket.
type: keyword
Destination address that triggered the event.
destination.path- This is the path associated with a unix socket.
type: keyword
auditd.message_type- The audit message type (e.g. syscall or apparmor_denied).
type: keyword
example: syscall
auditd.sequence- The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
type: long
auditd.session- The session ID assigned to a login. All events related to a login session will have the same value.
type: keyword
auditd.result- The result of the audited operation (success/fail).
type: keyword
example: success or fail
The actor is the user that triggered the audit event.
auditd.summary.actor.primary- The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.
type: keyword
auditd.summary.actor.secondary- The secondary identity of the actor. This is typically the same as the primary, except for when the user has used
su.
type: keyword
This is the thing or object being acted upon in the event.
auditd.summary.object.type- A description of the what the "thing" is (e.g. file, socket, user-session).
type: keyword
auditd.summary.object.primary- type: keyword
auditd.summary.object.secondary- type: keyword
auditd.summary.how- This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
type: keyword
List of paths associated with the event.
auditd.paths.inode- inode number
type: keyword
auditd.paths.dev- device name as found in /dev
type: keyword
auditd.paths.obj_user- type: keyword
auditd.paths.obj_role- type: keyword
auditd.paths.obj_domain- type: keyword
auditd.paths.obj_level- type: keyword
auditd.paths.objtype- type: keyword
auditd.paths.ouid- file owner user ID
type: keyword
auditd.paths.rdev- the device identifier (special files only)
type: keyword
auditd.paths.nametype- kind of file operation being referenced
type: keyword
auditd.paths.ogid- file owner group ID
type: keyword
auditd.paths.item- which item is being recorded
type: keyword
auditd.paths.mode- mode flags on a file
type: keyword
auditd.paths.name- file name in avcs
type: keyword
The data from the audit messages.
auditd.data.action- netfilter packet disposition
type: keyword
auditd.data.minor- device minor number
type: keyword
auditd.data.acct- a user’s account name
type: keyword
auditd.data.addr- the remote address that the user is connecting from
type: keyword
auditd.data.cipher- name of crypto cipher selected
type: keyword
auditd.data.id- during account changes
type: keyword
auditd.data.entries- number of entries in the netfilter table
type: keyword
auditd.data.kind- server or client in crypto operation
type: keyword
auditd.data.ksize- key size for crypto operation
type: keyword
auditd.data.spid- sent process ID
type: keyword
auditd.data.arch- the elf architecture flags
type: keyword
auditd.data.argc- the number of arguments to an execve syscall
type: keyword
auditd.data.major- device major number
type: keyword
auditd.data.unit- systemd unit
type: keyword
auditd.data.table- netfilter table name
type: keyword
auditd.data.terminal- terminal name the user is running programs on
type: keyword
auditd.data.grantors- pam modules approving the action
type: keyword
auditd.data.direction- direction of crypto operation
type: keyword
auditd.data.op- the operation being performed that is audited
type: keyword
auditd.data.tty- tty udevice the user is running programs on
type: keyword
auditd.data.syscall- syscall number in effect when the event occurred
type: keyword
auditd.data.data- TTY text
type: keyword
auditd.data.family- netfilter protocol
type: keyword
auditd.data.mac- crypto MAC algorithm selected
type: keyword
auditd.data.pfs- perfect forward secrecy method
type: keyword
auditd.data.items- the number of path records in the event
type: keyword
auditd.data.a0- type: keyword
auditd.data.a1- type: keyword
auditd.data.a2- type: keyword
auditd.data.a3- type: keyword
auditd.data.hostname- the hostname that the user is connecting from
type: keyword
auditd.data.lport- local network port
type: keyword
auditd.data.rport- remote port number
type: keyword
auditd.data.exit- syscall exit code
type: keyword
auditd.data.fp- crypto key finger print
type: keyword
auditd.data.laddr- local network address
type: keyword
auditd.data.sport- local port number
type: keyword
auditd.data.capability- posix capabilities
type: keyword
auditd.data.nargs- the number of arguments to a socket call
type: keyword
auditd.data.new-enabled- new TTY audit enabled setting
type: keyword
auditd.data.audit_backlog_limit- audit system’s backlog queue size
type: keyword
auditd.data.dir- directory name
type: keyword
auditd.data.cap_pe- process effective capability map
type: keyword
auditd.data.model- security model being used for virt
type: keyword
auditd.data.new_pp- new process permitted capability map
type: keyword
auditd.data.old-enabled- present TTY audit enabled setting
type: keyword
auditd.data.oauid- object’s login user ID
type: keyword
auditd.data.old- old value
type: keyword
auditd.data.banners- banners used on printed page
type: keyword
auditd.data.feature- kernel feature being changed
type: keyword
auditd.data.vm-ctx- the vm’s context string
type: keyword
auditd.data.opid- object’s process ID
type: keyword
auditd.data.seperms- SELinux permissions being used
type: keyword
auditd.data.seresult- SELinux AVC decision granted/denied
type: keyword
auditd.data.new-rng- device name of rng being added from a vm
type: keyword
auditd.data.old-net- present MAC address assigned to vm
type: keyword
auditd.data.sigev_signo- signal number
type: keyword
auditd.data.ino- inode number
type: keyword
auditd.data.old_enforcing- old MAC enforcement status
type: keyword
auditd.data.old-vcpu- present number of CPU cores
type: keyword
auditd.data.range- user’s SE Linux range
type: keyword
auditd.data.res- result of the audited operation(success/fail)
type: keyword
auditd.data.added- number of new files detected
type: keyword
auditd.data.fam- socket address family
type: keyword
auditd.data.nlnk-pid- pid of netlink packet sender
type: keyword
auditd.data.subj- lspp subject’s context string
type: keyword
auditd.data.a[0-3]- the arguments to a syscall
type: keyword
auditd.data.cgroup- path to cgroup in sysfs
type: keyword
auditd.data.kernel- kernel’s version number
type: keyword
auditd.data.ocomm- object’s command line name
type: keyword
auditd.data.new-net- MAC address being assigned to vm
type: keyword
auditd.data.permissive- SELinux is in permissive mode
type: keyword
auditd.data.class- resource class assigned to vm
type: keyword
auditd.data.compat- is_compat_task result
type: keyword
auditd.data.fi- file assigned inherited capability map
type: keyword
auditd.data.changed- number of changed files
type: keyword
auditd.data.msg- the payload of the audit record
type: keyword
auditd.data.dport- remote port number
type: keyword
auditd.data.new-seuser- new SELinux user
type: keyword
auditd.data.invalid_context- SELinux context
type: keyword
auditd.data.dmac- remote MAC address
type: keyword
auditd.data.ipx-net- IPX network number
type: keyword
auditd.data.iuid- ipc object’s user ID
type: keyword
auditd.data.macproto- ethernet packet type ID field
type: keyword
auditd.data.obj- lspp object context string
type: keyword
auditd.data.ipid- IP datagram fragment identifier
type: keyword
auditd.data.new-fs- file system being added to vm
type: keyword
auditd.data.vm-pid- vm’s process ID
type: keyword
auditd.data.cap_pi- process inherited capability map
type: keyword
auditd.data.old-auid- previous auid value
type: keyword
auditd.data.oses- object’s session ID
type: keyword
auditd.data.fd- file descriptor number
type: keyword
auditd.data.igid- ipc object’s group ID
type: keyword
auditd.data.new-disk- disk being added to vm
type: keyword
auditd.data.parent- the inode number of the parent file
type: keyword
auditd.data.len- length
type: keyword
auditd.data.oflag- open syscall flags
type: keyword
auditd.data.uuid- a UUID
type: keyword
auditd.data.code- seccomp action code
type: keyword
auditd.data.nlnk-grp- netlink group number
type: keyword
auditd.data.cap_fp- file permitted capability map
type: keyword
auditd.data.new-mem- new amount of memory in KB
type: keyword
auditd.data.seperm- SELinux permission being decided on
type: keyword
auditd.data.enforcing- new MAC enforcement status
type: keyword
auditd.data.new-chardev- new character device being assigned to vm
type: keyword
auditd.data.old-rng- device name of rng being removed from a vm
type: keyword
auditd.data.outif- out interface number
type: keyword
auditd.data.cmd- command being executed
type: keyword
auditd.data.hook- netfilter hook that packet came from
type: keyword
auditd.data.new-level- new run level
type: keyword
auditd.data.sauid- sent login user ID
type: keyword
auditd.data.sig- signal number
type: keyword
auditd.data.audit_backlog_wait_time- audit system’s backlog wait time
type: keyword
auditd.data.printer- printer name
type: keyword
auditd.data.old-mem- present amount of memory in KB
type: keyword
auditd.data.perm- the file permission being used
type: keyword
auditd.data.old_pi- old process inherited capability map
type: keyword
auditd.data.state- audit daemon configuration resulting state
type: keyword
auditd.data.format- audit log’s format
type: keyword
auditd.data.new_gid- new group ID being assigned
type: keyword
auditd.data.tcontext- the target’s or object’s context string
type: keyword
auditd.data.maj- device major number
type: keyword
auditd.data.watch- file name in a watch record
type: keyword
auditd.data.device- device name
type: keyword
auditd.data.grp- group name
type: keyword
auditd.data.bool- name of SELinux boolean
type: keyword
auditd.data.icmp_type- type of icmp message
type: keyword
auditd.data.new_lock- new value of feature lock
type: keyword
auditd.data.old_prom- network promiscuity flag
type: keyword
auditd.data.acl- access mode of resource assigned to vm
type: keyword
auditd.data.ip- network address of a printer
type: keyword
auditd.data.new_pi- new process inherited capability map
type: keyword
auditd.data.default-context- default MAC context
type: keyword
auditd.data.inode_gid- group ID of the inode’s owner
type: keyword
auditd.data.new-log_passwd- new value for TTY password logging
type: keyword
auditd.data.new_pe- new process effective capability map
type: keyword
auditd.data.selected-context- new MAC context assigned to session
type: keyword
auditd.data.cap_fver- file system capabilities version number
type: keyword
auditd.data.file- file name
type: keyword
auditd.data.net- network MAC address
type: keyword
auditd.data.virt- kind of virtualization being referenced
type: keyword
auditd.data.cap_pp- process permitted capability map
type: keyword
auditd.data.old-range- present SELinux range
type: keyword
auditd.data.resrc- resource being assigned
type: keyword
auditd.data.new-range- new SELinux range
type: keyword
auditd.data.obj_gid- group ID of object
type: keyword
auditd.data.proto- network protocol
type: keyword
auditd.data.old-disk- disk being removed from vm
type: keyword
auditd.data.audit_failure- audit system’s failure mode
type: keyword
auditd.data.inif- in interface number
type: keyword
auditd.data.vm- virtual machine name
type: keyword
auditd.data.flags- mmap syscall flags
type: keyword
auditd.data.nlnk-fam- netlink protocol number
type: keyword
auditd.data.old-fs- file system being removed from vm
type: keyword
auditd.data.old-ses- previous ses value
type: keyword
auditd.data.seqno- sequence number
type: keyword
auditd.data.fver- file system capabilities version number
type: keyword
auditd.data.qbytes- ipc objects quantity of bytes
type: keyword
auditd.data.seuser- user’s SE Linux user acct
type: keyword
auditd.data.cap_fe- file assigned effective capability map
type: keyword
auditd.data.new-vcpu- new number of CPU cores
type: keyword
auditd.data.old-level- old run level
type: keyword
auditd.data.old_pp- old process permitted capability map
type: keyword
auditd.data.daddr- remote IP address
type: keyword
auditd.data.old-role- present SELinux role
type: keyword
auditd.data.ioctlcmd- The request argument to the ioctl syscall
type: keyword
auditd.data.smac- local MAC address
type: keyword
auditd.data.apparmor- apparmor event information
type: keyword
auditd.data.fe- file assigned effective capability map
type: keyword
auditd.data.perm_mask- file permission mask that triggered a watch event
type: keyword
auditd.data.ses- login session ID
type: keyword
auditd.data.cap_fi- file inherited capability map
type: keyword
auditd.data.obj_uid- user ID of object
type: keyword
auditd.data.reason- text string denoting a reason for the action
type: keyword
auditd.data.list- the audit system’s filter list number
type: keyword
auditd.data.old_lock- present value of feature lock
type: keyword
auditd.data.bus- name of subsystem bus a vm resource belongs to
type: keyword
auditd.data.old_pe- old process effective capability map
type: keyword
auditd.data.new-role- new SELinux role
type: keyword
auditd.data.prom- network promiscuity flag
type: keyword
auditd.data.uri- URI pointing to a printer
type: keyword
auditd.data.audit_enabled- audit systems’s enable/disable status
type: keyword
auditd.data.old-log_passwd- present value for TTY password logging
type: keyword
auditd.data.old-seuser- present SELinux user
type: keyword
auditd.data.per- linux personality
type: keyword
auditd.data.scontext- the subject’s context string
type: keyword
auditd.data.tclass- target’s object classification
type: keyword
auditd.data.ver- audit daemon’s version number
type: keyword
auditd.data.new- value being set in feature
type: keyword
auditd.data.val- generic value associated with the operation
type: keyword
auditd.data.img-ctx- the vm’s disk image context string
type: keyword
auditd.data.old-chardev- present character device assigned to vm
type: keyword
auditd.data.old_val- current value of SELinux boolean
type: keyword
auditd.data.success- whether the syscall was successful or not
type: keyword
auditd.data.inode_uid- user ID of the inode’s owner
type: keyword
auditd.data.removed- number of deleted files
type: keyword
auditd.data.socket.port- The port number.
type: keyword
auditd.data.socket.saddr- The raw socket address structure.
type: keyword
auditd.data.socket.addr- The remote address.
type: keyword
auditd.data.socket.family- The socket family (unix, ipv4, ipv6, netlink).
type: keyword
example: unix
auditd.data.socket.path- This is the path associated with a unix socket.
type: keyword
auditd.messages- An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if
include_raw_messageis set in the config.
type: alias
alias to: event.original
auditd.warnings- The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
type: alias
alias to: error.message
The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or an Elasticsearch geoip ingest processor.
geoip.continent_name- The name of the continent.
type: keyword
geoip.city_name- The name of the city.
type: keyword
geoip.region_name- The name of the region.
type: keyword
geoip.country_iso_code- Country ISO code.
type: keyword
geoip.location- The longitude and latitude.
type: geo_point