New

The executive guide to generative AI

Read more

System fields

edit

These are the fields generated by the system module.

system.audit fields

edit

host fields

edit

host contains general host information.

system.audit.host.uptime

type: long

Uptime in nanoseconds.

system.audit.host.boottime

type: date

Boot time.

system.audit.host.containerized

type: boolean

Set if host is a container.

system.audit.host.timezone.name

type: keyword

Name of the timezone of the host, e.g. BST.

system.audit.host.timezone.offset.sec

type: long

Timezone offset in seconds.

system.audit.host.hostname

type: keyword

Hostname.

system.audit.host.id

type: keyword

Host ID.

system.audit.host.architecture

type: keyword

Host architecture (e.g. x86_64).

system.audit.host.mac

type: keyword

MAC addresses.

system.audit.host.ip

type: ip

IP addresses.

os fields

edit

os contains information about the operating system.

system.audit.host.os.platform

type: keyword

OS platform (e.g. centos, ubuntu, windows).

system.audit.host.os.name

type: keyword

OS name (e.g. Mac OS X).

system.audit.host.os.family

type: keyword

OS family (e.g. redhat, debian, freebsd, windows).

system.audit.host.os.version

type: keyword

OS version.

system.audit.host.os.kernel

type: keyword

The operating system’s kernel version.

user fields

edit

user contains information about the users on a system.

system.audit.user.name

type: keyword

User name.

system.audit.user.uid

type: keyword

User ID.

system.audit.user.gid

type: keyword

Group ID.

system.audit.user.dir

type: keyword

User’s home directory.

system.audit.user.shell

type: keyword

Program to run at login.

system.audit.user.user_information

type: text

General user information. On Linux, this is the gecos field.

system.audit.user.group

type: object

group contains information about any groups the user is part of (beyond the user’s primary group).

password fields

edit

password contains information about a user’s password (not the password itself).

system.audit.user.password.type

type: keyword

A user’s password type. Possible values are shadow_password (the password hash is in the shadow file), password_disabled, no_password (this is dangerous as anyone can log in), and crypt_password (when the password field in /etc/passwd seems to contain an encrypted password).

system.audit.user.password.last_changed

type: date

The day the user’s password was last changed.

Was this helpful?
Feedback