- Auditbeat Reference: other versions:
- Overview
- Getting started with Auditbeat
- Breaking changes in 6.2
- Setting up and running Auditbeat
- Configuring Auditbeat
- Specify which modules to run
- Specify general settings
- Reload the configuration dynamically
- Configure the internal queue
- Configure the output
- Set up index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- auditbeat.reference.yml
- Modules
- Exported fields
- Monitoring Auditbeat
- Securing Auditbeat
- Troubleshooting
- Contributing to Beats
System fields
editSystem fields
editThese are the fields generated by the system module.
system.audit fields
edithost fields
edithost contains general host information.
-
system.audit.host.uptime -
type: long
Uptime in nanoseconds.
-
system.audit.host.boottime -
type: date
Boot time.
-
system.audit.host.containerized -
type: boolean
Set if host is a container.
-
system.audit.host.timezone.name -
type: keyword
Name of the timezone of the host, e.g. BST.
-
system.audit.host.timezone.offset.sec -
type: long
Timezone offset in seconds.
-
system.audit.host.hostname -
type: keyword
Hostname.
-
system.audit.host.id -
type: keyword
Host ID.
-
system.audit.host.architecture -
type: keyword
Host architecture (e.g. x86_64).
-
system.audit.host.mac -
type: keyword
MAC addresses.
-
system.audit.host.ip -
type: ip
IP addresses.
os fields
editos contains information about the operating system.
-
system.audit.host.os.platform -
type: keyword
OS platform (e.g. centos, ubuntu, windows).
-
system.audit.host.os.name -
type: keyword
OS name (e.g. Mac OS X).
-
system.audit.host.os.family -
type: keyword
OS family (e.g. redhat, debian, freebsd, windows).
-
system.audit.host.os.version -
type: keyword
OS version.
-
system.audit.host.os.kernel -
type: keyword
The operating system’s kernel version.
user fields
edituser contains information about the users on a system.
-
system.audit.user.name -
type: keyword
User name.
-
system.audit.user.uid -
type: keyword
User ID.
-
system.audit.user.gid -
type: keyword
Group ID.
-
system.audit.user.dir -
type: keyword
User’s home directory.
-
system.audit.user.shell -
type: keyword
Program to run at login.
-
system.audit.user.user_information -
type: text
General user information. On Linux, this is the gecos field.
-
system.audit.user.group -
type: object
groupcontains information about any groups the user is part of (beyond the user’s primary group).
password fields
editpassword contains information about a user’s password (not the password itself).
-
system.audit.user.password.type -
type: keyword
A user’s password type. Possible values are
shadow_password(the password hash is in the shadow file),password_disabled,no_password(this is dangerous as anyone can log in), andcrypt_password(when the password field in /etc/passwd seems to contain an encrypted password). -
system.audit.user.password.last_changed -
type: date
The day the user’s password was last changed.