Audit Fields

The audit module reports security-relevant information based on data captured from the operating system (OS) or services running on the OS.

The file metricset generates events when a file changes on disk.

type: keyword

The path to the file.

type: keyword

The target path for symlinks.

type: keyword

example: attributes_modified

Action describes the change to the file. The possible values are: attributes_modified, created, deleted, updated, and moved.

type: keyword

The file type (file, dir, or symlink).

type: keyword

The inode representing the file in the filesystem.

type: keyword

The user ID (UID) of the file owner.

type: keyword

The file owner’s username.

type: keyword

The primary group ID (GID) of the file.

type: keyword

The primary group name of the file.

type: keyword

The security identifier (SID) of the file owner (Windows only).

type: keyword

example: 416

The mode of the file in octal representation.

type: long

The file size in bytes.

type: date

The last access time of the file.

type: date

The last modified time of the file.

type: date

The creation time of the file.

type: boolean

Boolean indicating if the event includes file hashes. If true the md5, sha1, and sha256 fields will be present.

type: keyword

MD5 hash of the file.

type: keyword

SHA1 hash of the file.

type: keyword

SHA256 hash of the file.

The kernel metricset distributes audit events received from the Linux Audit Framework that is a part of the Linux kernel.

type: keyword

example: logged-in

A description of the action taken by the user.

The actor is the user that triggered the audit event.

Attributes of the actor.

type: keyword

login user ID

type: keyword

user ID

type: keyword

effective user ID

type: keyword

file system user ID

type: keyword

sent user ID

type: keyword

group ID

type: keyword

effective group ID

type: keyword

set group ID

type: keyword

file system group ID

type: keyword

The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.

type: keyword

The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su.

The SELinux identity of the actor.

type: keyword

account submitted for authentication

type: keyword

user’s SELinux role

type: keyword

The actor’s SELinux domain or type.

type: keyword

example: s0

The actor’s SELinux level.

type: keyword

The actor’s SELinux category or compartments.

type: keyword

example: audit-rule

The event’s category is a value derived from the record_type.

type: long

The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.

type: keyword

The session ID assigned to a login. All events related to a login session will have the same value.

List of paths associated with the event.

type: keyword

inode number

type: keyword

device name as found in /dev

type: keyword

type: keyword

type: keyword

type: keyword

type: keyword

type: keyword

file owner user ID

type: keyword

the device identifier (special files only)

type: keyword

kind of file operation being referenced

type: keyword

file owner group ID

type: keyword

which item is being recorded

type: keyword

mode flags on a file

type: keyword

file name in avcs

type: keyword

The audit record’s type.

Socket data from sockaddr messages.

type: keyword

The port number.

type: keyword

The raw socket address structure.

type: keyword

The remote address.

type: keyword

example: unix

The socket family (unix, ipv4, ipv6, netlink).

type: keyword

This is the path associated with a unix socket.

This is the thing or object being acted upon in the event.

type: keyword

A description of the what the "thing" is (e.g. file, socket, user-session).

type: keyword

type: keyword

The SELinux identity of the object.

type: keyword

The owner of the object.

type: keyword

The object’s SELinux role.

type: keyword

The object’s SELinux domain or type.

type: keyword

example: s0

The object’s SELinux level.

type: keyword

This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.

type: keyword

The key assigned to the audit rule that triggered the event.

type: keyword

example: success or fail

The result of the audited operation (success/fail).

The data from the audit messages.

type: keyword

netfilter packet disposition

type: keyword

device minor number

type: keyword

a user’s account name

type: keyword

the remote address that the user is connecting from

type: keyword

name of crypto cipher selected

type: keyword

during account changes

type: keyword

number of entries in the netfilter table

type: keyword

server or client in crypto operation

type: keyword

key size for crypto operation

type: keyword

sent process ID

type: keyword

the elf architecture flags

type: keyword

the number of arguments to an execve syscall

type: keyword

device major number

type: keyword

systemd unit

type: keyword

netfilter table name

type: keyword

terminal name the user is running programs on

type: keyword

command line program name

type: keyword

executable name

type: keyword

pam modules approving the action

type: keyword

process ID

type: keyword

direction of crypto operation

type: keyword

the operation being performed that is audited

type: keyword

tty udevice the user is running programs on

type: keyword

process title and command line parameters

type: keyword

syscall number in effect when the event occurred

type: keyword

TTY text

type: keyword

netfilter protocol

type: keyword

crypto MAC algorithm selected

type: keyword

perfect forward secrecy method

type: keyword

the number of path records in the event

type: keyword

type: keyword

type: keyword

type: keyword

type: keyword

the current working directory

type: keyword

the hostname that the user is connecting from

type: keyword

local network port

type: keyword

parent process ID

type: keyword

remote port number

type: keyword

The full command line from the execve message.

type: keyword

syscall exit code

type: keyword

crypto key finger print

type: keyword

local network address

type: keyword

local port number

type: keyword

posix capabilities

type: keyword

the number of arguments to a socket call

type: keyword

new TTY audit enabled setting

type: keyword

audit system’s backlog queue size

type: keyword

directory name

type: keyword

process effective capability map

type: keyword

security model being used for virt

type: keyword

new process permitted capability map

type: keyword

present TTY audit enabled setting

type: keyword

object’s login user ID

type: keyword

old value

type: keyword

banners used on printed page

type: keyword

kernel feature being changed

type: keyword

the vm’s context string

type: keyword

object’s process ID

type: keyword

SELinux permissions being used

type: keyword

SELinux AVC decision granted/denied

type: keyword

device name of rng being added from a vm

type: keyword

present MAC address assigned to vm

type: keyword

signal number

type: keyword

inode number

type: keyword

old MAC enforcement status

type: keyword

present number of CPU cores

type: keyword

user’s SE Linux range

type: keyword

result of the audited operation(success/fail)

type: keyword

number of new files detected

type: keyword

socket address family

type: keyword

pid of netlink packet sender

type: keyword

lspp subject’s context string

type: keyword

the arguments to a syscall

type: keyword

path to cgroup in sysfs

type: keyword

kernel’s version number

type: keyword

object’s command line name

type: keyword

MAC address being assigned to vm

type: keyword

SELinux is in permissive mode

type: keyword

resource class assigned to vm

type: keyword

is_compat_task result

type: keyword

file assigned inherited capability map

type: keyword

number of changed files

type: keyword

the payload of the audit record

type: keyword

remote port number

type: keyword

new SELinux user

type: keyword

SELinux context

type: keyword

remote MAC address

type: keyword

IPX network number

type: keyword

ipc object’s user ID

type: keyword

ethernet packet type ID field

type: keyword

lspp object context string

type: keyword

the arguments to the execve syscall

type: keyword

IP datagram fragment identifier

type: keyword

file system being added to vm

type: keyword

vm’s process ID

type: keyword

process inherited capability map

type: keyword

previous auid value

type: keyword

object’s session ID

type: keyword

file descriptor number

type: keyword

ipc object’s group ID

type: keyword

disk being added to vm

type: keyword

the inode number of the parent file

type: keyword

length

type: keyword

open syscall flags

type: keyword

a UUID

type: keyword

seccomp action code

type: keyword

netlink group number

type: keyword

file permitted capability map

type: keyword

new amount of memory in KB

type: keyword

SELinux permission being decided on

type: keyword

new MAC enforcement status

type: keyword

new character device being assigned to vm

type: keyword

device name of rng being removed from a vm

type: keyword

out interface number

type: keyword

command being executed

type: keyword

netfilter hook that packet came from

type: keyword

new run level

type: keyword

sent login user ID

type: keyword

signal number

type: keyword

audit system’s backlog wait time

type: keyword

printer name

type: keyword

present amount of memory in KB

type: keyword

the file permission being used

type: keyword

old process inherited capability map

type: keyword

audit daemon configuration resulting state

type: keyword

audit log’s format

type: keyword

new group ID being assigned

type: keyword

the target’s or object’s context string

type: keyword

device major number

type: keyword

file name in a watch record

type: keyword

device name

type: keyword

group name

type: keyword

name of SELinux boolean

type: keyword

type of icmp message

type: keyword

new value of feature lock

type: keyword

network promiscuity flag

type: keyword

access mode of resource assigned to vm

type: keyword

network address of a printer

type: keyword

new process inherited capability map

type: keyword

default MAC context

type: keyword

group ID of the inode’s owner

type: keyword

new value for TTY password logging

type: keyword

new process effective capability map

type: keyword

new MAC context assigned to session

type: keyword

file system capabilities version number

type: keyword

file name

type: keyword

network MAC address

type: keyword

kind of virtualization being referenced

type: keyword

process permitted capability map

type: keyword

present SELinux range

type: keyword

resource being assigned

type: keyword

new SELinux range

type: keyword

group ID of object

type: keyword

network protocol

type: keyword

disk being removed from vm

type: keyword

audit system’s failure mode

type: keyword

in interface number

type: keyword

virtual machine name

type: keyword

mmap syscall flags

type: keyword

netlink protocol number

type: keyword

file system being removed from vm

type: keyword

previous ses value

type: keyword

sequence number

type: keyword

file system capabilities version number

type: keyword

ipc objects quantity of bytes

type: keyword

user’s SE Linux user acct

type: keyword

file assigned effective capability map

type: keyword

new number of CPU cores

type: keyword

old run level

type: keyword

old process permitted capability map

type: keyword

remote IP address

type: keyword

present SELinux role

type: keyword

The request argument to the ioctl syscall

type: keyword

local MAC address

type: keyword

apparmor event information

type: keyword

file assigned effective capability map

type: keyword

file permission mask that triggered a watch event

type: keyword

login session ID

type: keyword

file inherited capability map

type: keyword

user ID of object

type: keyword

text string denoting a reason for the action

type: keyword

the audit system’s filter list number

type: keyword

present value of feature lock

type: keyword

name of subsystem bus a vm resource belongs to

type: keyword

old process effective capability map

type: keyword

new SELinux role

type: keyword

network promiscuity flag

type: keyword

URI pointing to a printer

type: keyword

audit systems’s enable/disable status

type: keyword

present value for TTY password logging

type: keyword

present SELinux user

type: keyword

linux personality

type: keyword

the subject’s context string

type: keyword

target’s object classification

type: keyword

audit daemon’s version number

type: keyword

value being set in feature

type: keyword

generic value associated with the operation

type: keyword

the vm’s disk image context string

type: keyword

present character device assigned to vm

type: keyword

current value of SELinux boolean

type: keyword

whether the syscall was successful or not

type: keyword

user ID of the inode’s owner

type: keyword

number of deleted files

type: text

An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if kernel.include_raw_message is set in the config.

type: keyword

The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.

Contains GeoIP information gathered based on the os_events.audit.addr field. Only present if the GeoIP Elasticsearch plugin is available and used.

type: keyword

The name of the continent.

type: keyword

The name of the city.

type: keyword

The name of the region.

type: keyword

Country ISO code.

type: geo_point

The longitude and latitude.