--- title: Auditd fields description: These are the fields generated by the auditd module. If resolve_ids is set to true in the configuration then name_map will contain a mapping of uid field... url: https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/auditbeat/exported-fields-auditd products: - Auditbeat - Beats applies_to: - Elastic Cloud Serverless: Generally available - Elastic Stack: Generally available --- # Auditd fields These are the fields generated by the auditd module. type: alias alias to: user.audit.id type: alias alias to: user.id type: alias alias to: user.filesystem.id type: alias alias to: user.saved.id type: alias alias to: user.group.id type: alias alias to: user.saved.group.id type: alias alias to: user.filesystem.group.id ## name_map If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid -> root). type: alias alias to: user.audit.name type: alias alias to: user.name type: alias alias to: user.filesystem.name type: alias alias to: user.saved.name type: alias alias to: user.group.name type: alias alias to: user.saved.group.name type: alias alias to: user.filesystem.group.name ## selinux The SELinux identity of the actor. account submitted for authentication type: keyword user's SELinux role type: keyword The actor's SELinux domain or type. type: keyword The actor's SELinux level. type: keyword example: s0 The actor's SELinux category or compartments. type: keyword ## process Process attributes. The current working directory. type: alias alias to: process.working_directory ## source Source that triggered the event. This is the path associated with a unix socket. type: keyword ## destination Destination address that triggered the event. This is the path associated with a unix socket. type: keyword The audit message type (e.g. syscall or apparmor_denied). type: keyword example: syscall The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover. type: long The session ID assigned to a login. All events related to a login session will have the same value. type: keyword The result of the audited operation (success/fail). type: keyword example: success or fail ## actor The actor is the user that triggered the audit event. The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account. type: keyword The secondary identity of the actor. This is typically the same as the primary, except for when the user has used `su`. type: keyword ## object This is the thing or object being acted upon in the event. A description of the what the "thing" is (e.g. file, socket, user-session). type: keyword type: keyword type: keyword This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event. type: keyword ## paths List of paths associated with the event. inode number type: keyword device name as found in /dev type: keyword type: keyword type: keyword type: keyword type: keyword type: keyword file owner user ID type: keyword the device identifier (special files only) type: keyword kind of file operation being referenced type: keyword file owner group ID type: keyword which item is being recorded type: keyword mode flags on a file type: keyword file name in avcs type: keyword ## data The data from the audit messages. netfilter packet disposition type: keyword device minor number type: keyword a user's account name type: keyword the remote address that the user is connecting from type: keyword name of crypto cipher selected type: keyword during account changes type: keyword number of entries in the netfilter table type: keyword server or client in crypto operation type: keyword key size for crypto operation type: keyword sent process ID type: keyword the elf architecture flags type: keyword the number of arguments to an execve syscall type: keyword device major number type: keyword systemd unit type: keyword netfilter table name type: keyword terminal name the user is running programs on type: keyword pam modules approving the action type: keyword direction of crypto operation type: keyword the operation being performed that is audited type: keyword tty udevice the user is running programs on type: keyword syscall number in effect when the event occurred type: keyword TTY text type: keyword netfilter protocol type: keyword crypto MAC algorithm selected type: keyword perfect forward secrecy method type: keyword the number of path records in the event type: keyword type: keyword type: keyword type: keyword type: keyword the hostname that the user is connecting from type: keyword local network port type: keyword remote port number type: keyword syscall exit code type: keyword crypto key finger print type: keyword local network address type: keyword local port number type: keyword posix capabilities type: keyword the number of arguments to a socket call type: keyword new TTY audit enabled setting type: keyword audit system's backlog queue size type: keyword directory name type: keyword process effective capability map type: keyword security model being used for virt type: keyword new process permitted capability map type: keyword present TTY audit enabled setting type: keyword object's login user ID type: keyword old value type: keyword banners used on printed page type: keyword kernel feature being changed type: keyword the vm's context string type: keyword object's process ID type: keyword SELinux permissions being used type: keyword SELinux AVC decision granted/denied type: keyword device name of rng being added from a vm type: keyword present MAC address assigned to vm type: keyword signal number type: keyword inode number type: keyword old MAC enforcement status type: keyword present number of CPU cores type: keyword user's SE Linux range type: keyword result of the audited operation(success/fail) type: keyword number of new files detected type: keyword socket address family type: keyword pid of netlink packet sender type: keyword lspp subject's context string type: keyword the arguments to a syscall type: keyword path to cgroup in sysfs type: keyword kernel's version number type: keyword object's command line name type: keyword MAC address being assigned to vm type: keyword SELinux is in permissive mode type: keyword resource class assigned to vm type: keyword is_compat_task result type: keyword file assigned inherited capability map type: keyword number of changed files type: keyword the payload of the audit record type: keyword remote port number type: keyword new SELinux user type: keyword SELinux context type: keyword remote MAC address type: keyword IPX network number type: keyword ipc object's user ID type: keyword ethernet packet type ID field type: keyword lspp object context string type: keyword IP datagram fragment identifier type: keyword file system being added to vm type: keyword vm's process ID type: keyword process inherited capability map type: keyword previous auid value type: keyword object's session ID type: keyword file descriptor number type: keyword ipc object's group ID type: keyword disk being added to vm type: keyword the inode number of the parent file type: keyword length type: keyword open syscall flags type: keyword a UUID type: keyword seccomp action code type: keyword netlink group number type: keyword file permitted capability map type: keyword new amount of memory in KB type: keyword SELinux permission being decided on type: keyword new MAC enforcement status type: keyword new character device being assigned to vm type: keyword device name of rng being removed from a vm type: keyword out interface number type: keyword command being executed type: keyword netfilter hook that packet came from type: keyword new run level type: keyword sent login user ID type: keyword signal number type: keyword audit system's backlog wait time type: keyword printer name type: keyword present amount of memory in KB type: keyword the file permission being used type: keyword old process inherited capability map type: keyword audit daemon configuration resulting state type: keyword audit log's format type: keyword new group ID being assigned type: keyword the target's or object's context string type: keyword device major number type: keyword file name in a watch record type: keyword device name type: keyword group name type: keyword name of SELinux boolean type: keyword type of icmp message type: keyword new value of feature lock type: keyword network promiscuity flag type: keyword access mode of resource assigned to vm type: keyword network address of a printer type: keyword new process inherited capability map type: keyword default MAC context type: keyword group ID of the inode's owner type: keyword new value for TTY password logging type: keyword new process effective capability map type: keyword new MAC context assigned to session type: keyword file system capabilities version number type: keyword file name type: keyword network MAC address type: keyword kind of virtualization being referenced type: keyword process permitted capability map type: keyword present SELinux range type: keyword resource being assigned type: keyword new SELinux range type: keyword group ID of object type: keyword network protocol type: keyword disk being removed from vm type: keyword audit system's failure mode type: keyword in interface number type: keyword virtual machine name type: keyword mmap syscall flags type: keyword netlink protocol number type: keyword file system being removed from vm type: keyword previous ses value type: keyword sequence number type: keyword file system capabilities version number type: keyword ipc objects quantity of bytes type: keyword user's SE Linux user acct type: keyword file assigned effective capability map type: keyword new number of CPU cores type: keyword old run level type: keyword old process permitted capability map type: keyword remote IP address type: keyword present SELinux role type: keyword The request argument to the ioctl syscall type: keyword local MAC address type: keyword apparmor event information type: keyword file assigned effective capability map type: keyword file permission mask that triggered a watch event type: keyword login session ID type: keyword file inherited capability map type: keyword user ID of object type: keyword text string denoting a reason for the action type: keyword the audit system's filter list number type: keyword present value of feature lock type: keyword name of subsystem bus a vm resource belongs to type: keyword old process effective capability map type: keyword new SELinux role type: keyword network promiscuity flag type: keyword URI pointing to a printer type: keyword audit systems's enable/disable status type: keyword present value for TTY password logging type: keyword present SELinux user type: keyword linux personality type: keyword the subject's context string type: keyword target's object classification type: keyword audit daemon's version number type: keyword value being set in feature type: keyword generic value associated with the operation type: keyword the vm's disk image context string type: keyword present character device assigned to vm type: keyword current value of SELinux boolean type: keyword whether the syscall was successful or not type: keyword user ID of the inode's owner type: keyword number of deleted files type: keyword The port number. type: keyword The raw socket address structure. type: keyword The remote address. type: keyword The socket family (unix, ipv4, ipv6, netlink). type: keyword example: unix This is the path associated with a unix socket. type: keyword An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if `include_raw_message` is set in the config. type: alias alias to: event.original The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only. type: alias alias to: error.message ## geoip The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or an Elasticsearch geoip ingest processor. The name of the continent. type: keyword The name of the city. type: keyword The name of the region. type: keyword Country ISO code. type: keyword The longitude and latitude. type: geo_point