- Auditbeat Reference: other versions:
- Overview
- Getting started with Auditbeat
- Breaking changes in 6.2
- Setting up and running Auditbeat
- Configuring Auditbeat
- Specify which modules to run
- Specify general settings
- Reload the configuration dynamically
- Configure the internal queue
- Configure the output
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- auditbeat.reference.yml
- Modules
- Exported fields
- Monitoring Auditbeat
- Securing Auditbeat
- Troubleshooting
- Contributing to Beats
Common fields
editCommon fields
editContains common fields available in all event types.
-
event.module -
The name of the module that generated the event.
-
event.action -
type: keyword
example: logged-in
Action describes the change that triggered the event. For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change.
file fields
editFile attributes.
-
file.path -
type: text
The path to the file.
-
file.path.raw -
type: keyword
The path to the file. This is a non-analyzed field that is useful for aggregations.
-
file.target_path -
type: keyword
The target path for symlinks.
-
file.type -
type: keyword
The file type (file, dir, or symlink).
-
file.device -
type: keyword
The device.
-
file.inode -
type: keyword
The inode representing the file in the filesystem.
-
file.uid -
type: keyword
The user ID (UID) or security identifier (SID) of the file owner.
-
file.owner -
type: keyword
The file owner’s username.
-
file.gid -
type: keyword
The primary group ID (GID) of the file.
-
file.group -
type: keyword
The primary group name of the file.
-
file.mode -
type: keyword
example: 416
The mode of the file in octal representation.
-
file.setuid -
type: boolean
example: True
Set if the file has the
setuidbit set. Omitted otherwise. -
file.setgid -
type: boolean
example: True
Set if the file has the
setgidbit set. Omitted otherwise. -
file.size -
type: long
The file size in bytes (field is only added when
typeisfile). -
file.mtime -
type: date
The last modified time of the file (time when content was modified).
-
file.ctime -
type: date
The last change time of the file (time when metadata was changed).
-
file.origin -
type: text
An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
-
file.origin.raw -
type: keyword
This is a non-analyzed field that is useful for aggregations on the origin data.
selinux fields
editThe SELinux identity of the file.
-
file.selinux.user -
type: keyword
The owner of the object.
-
file.selinux.role -
type: keyword
The object’s SELinux role.
-
file.selinux.domain -
type: keyword
The object’s SELinux domain or type.
-
file.selinux.level -
type: keyword
example: s0
The object’s SELinux level.
On this page