Auditd fields

edit

These are the fields generated by the auditd module.

user.auid

type: alias

alias to: user.audit.id

user.uid

type: alias

alias to: user.id

user.euid

type: alias

alias to: user.effective.id

user.fsuid

type: alias

alias to: user.filesystem.id

user.suid

type: alias

alias to: user.saved.id

user.gid

type: alias

alias to: user.group.id

user.egid

type: alias

alias to: user.effective.group.id

user.sgid

type: alias

alias to: user.saved.group.id

user.fsgid

type: alias

alias to: user.filesystem.group.id

name_map fields

edit

If resolve_ids is set to true in the configuration then name_map will contain a mapping of uid field names to the resolved name (e.g. auid → root).

user.name_map.auid

type: alias

alias to: user.audit.name

user.name_map.uid

type: alias

alias to: user.name

user.name_map.euid

type: alias

alias to: user.effective.name

user.name_map.fsuid

type: alias

alias to: user.filesystem.name

user.name_map.suid

type: alias

alias to: user.saved.name

user.name_map.gid

type: alias

alias to: user.group.name

user.name_map.egid

type: alias

alias to: user.effective.group.name

user.name_map.sgid

type: alias

alias to: user.saved.group.name

user.name_map.fsgid

type: alias

alias to: user.filesystem.group.name

selinux fields

edit

The SELinux identity of the actor.

user.selinux.user

type: keyword

account submitted for authentication

user.selinux.role

type: keyword

user’s SELinux role

user.selinux.domain

type: keyword

The actor’s SELinux domain or type.

user.selinux.level

type: keyword

example: s0

The actor’s SELinux level.

user.selinux.category

type: keyword

The actor’s SELinux category or compartments.

process fields

edit

Process attributes.

process.cwd

type: alias

alias to: process.working_directory

The current working directory.

source fields

edit

Source that triggered the event.

source.path

type: keyword

This is the path associated with a unix socket.

destination fields

edit

Destination address that triggered the event.

destination.path

type: keyword

This is the path associated with a unix socket.

auditd.message_type

type: keyword

example: syscall

The audit message type (e.g. syscall or apparmor_denied).

auditd.sequence

type: long

The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.

auditd.session

type: keyword

The session ID assigned to a login. All events related to a login session will have the same value.

auditd.result

type: keyword

example: success or fail

The result of the audited operation (success/fail).

actor fields

edit

The actor is the user that triggered the audit event.

auditd.summary.actor.primary

type: keyword

The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.

auditd.summary.actor.secondary

type: keyword

The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su.

object fields

edit

This is the thing or object being acted upon in the event.

auditd.summary.object.type

type: keyword

A description of the what the "thing" is (e.g. file, socket, user-session).

auditd.summary.object.primary

type: keyword

auditd.summary.object.secondary

type: keyword

auditd.summary.how

type: keyword

This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.

paths fields

edit

List of paths associated with the event.

auditd.paths.inode

type: keyword

inode number

auditd.paths.dev

type: keyword

device name as found in /dev

auditd.paths.obj_user

type: keyword

auditd.paths.obj_role

type: keyword

auditd.paths.obj_domain

type: keyword

auditd.paths.obj_level

type: keyword

auditd.paths.objtype

type: keyword

auditd.paths.ouid

type: keyword

file owner user ID

auditd.paths.rdev

type: keyword

the device identifier (special files only)

auditd.paths.nametype

type: keyword

kind of file operation being referenced

auditd.paths.ogid

type: keyword

file owner group ID

auditd.paths.item

type: keyword

which item is being recorded

auditd.paths.mode

type: keyword

mode flags on a file

auditd.paths.name

type: keyword

file name in avcs

data fields

edit

The data from the audit messages.

auditd.data.action

type: keyword

netfilter packet disposition

auditd.data.minor

type: keyword

device minor number

auditd.data.acct

type: keyword

a user’s account name

auditd.data.addr

type: keyword

the remote address that the user is connecting from

auditd.data.cipher

type: keyword

name of crypto cipher selected

auditd.data.id

type: keyword

during account changes

auditd.data.entries

type: keyword

number of entries in the netfilter table

auditd.data.kind

type: keyword

server or client in crypto operation

auditd.data.ksize

type: keyword

key size for crypto operation

auditd.data.spid

type: keyword

sent process ID

auditd.data.arch

type: keyword

the elf architecture flags

auditd.data.argc

type: keyword

the number of arguments to an execve syscall

auditd.data.major

type: keyword

device major number

auditd.data.unit

type: keyword

systemd unit

auditd.data.table

type: keyword

netfilter table name

auditd.data.terminal

type: keyword

terminal name the user is running programs on

auditd.data.grantors

type: keyword

pam modules approving the action

auditd.data.direction

type: keyword

direction of crypto operation

auditd.data.op

type: keyword

the operation being performed that is audited

auditd.data.tty

type: keyword

tty udevice the user is running programs on

auditd.data.syscall

type: keyword

syscall number in effect when the event occurred

auditd.data.data

type: keyword

TTY text

auditd.data.family

type: keyword

netfilter protocol

auditd.data.mac

type: keyword

crypto MAC algorithm selected

auditd.data.pfs

type: keyword

perfect forward secrecy method

auditd.data.items

type: keyword

the number of path records in the event

auditd.data.a0

type: keyword

auditd.data.a1

type: keyword

auditd.data.a2

type: keyword

auditd.data.a3

type: keyword

auditd.data.hostname

type: keyword

the hostname that the user is connecting from

auditd.data.lport

type: keyword

local network port

auditd.data.rport

type: keyword

remote port number

auditd.data.exit

type: keyword

syscall exit code

auditd.data.fp

type: keyword

crypto key finger print

auditd.data.laddr

type: keyword

local network address

auditd.data.sport

type: keyword

local port number

auditd.data.capability

type: keyword

posix capabilities

auditd.data.nargs

type: keyword

the number of arguments to a socket call

auditd.data.new-enabled

type: keyword

new TTY audit enabled setting

auditd.data.audit_backlog_limit

type: keyword

audit system’s backlog queue size

auditd.data.dir

type: keyword

directory name

auditd.data.cap_pe

type: keyword

process effective capability map

auditd.data.model

type: keyword

security model being used for virt

auditd.data.new_pp

type: keyword

new process permitted capability map

auditd.data.old-enabled

type: keyword

present TTY audit enabled setting

auditd.data.oauid

type: keyword

object’s login user ID

auditd.data.old

type: keyword

old value

auditd.data.banners

type: keyword

banners used on printed page

auditd.data.feature

type: keyword

kernel feature being changed

auditd.data.vm-ctx

type: keyword

the vm’s context string

auditd.data.opid

type: keyword

object’s process ID

auditd.data.seperms

type: keyword

SELinux permissions being used

auditd.data.seresult

type: keyword

SELinux AVC decision granted/denied

auditd.data.new-rng

type: keyword

device name of rng being added from a vm

auditd.data.old-net

type: keyword

present MAC address assigned to vm

auditd.data.sigev_signo

type: keyword

signal number

auditd.data.ino

type: keyword

inode number

auditd.data.old_enforcing

type: keyword

old MAC enforcement status

auditd.data.old-vcpu

type: keyword

present number of CPU cores

auditd.data.range

type: keyword

user’s SE Linux range

auditd.data.res

type: keyword

result of the audited operation(success/fail)

auditd.data.added

type: keyword

number of new files detected

auditd.data.fam

type: keyword

socket address family

auditd.data.nlnk-pid

type: keyword

pid of netlink packet sender

auditd.data.subj

type: keyword

lspp subject’s context string

auditd.data.a[0-3]

type: keyword

the arguments to a syscall

auditd.data.cgroup

type: keyword

path to cgroup in sysfs

auditd.data.kernel

type: keyword

kernel’s version number

auditd.data.ocomm

type: keyword

object’s command line name

auditd.data.new-net

type: keyword

MAC address being assigned to vm

auditd.data.permissive

type: keyword

SELinux is in permissive mode

auditd.data.class

type: keyword

resource class assigned to vm

auditd.data.compat

type: keyword

is_compat_task result

auditd.data.fi

type: keyword

file assigned inherited capability map

auditd.data.changed

type: keyword

number of changed files

auditd.data.msg

type: keyword

the payload of the audit record

auditd.data.dport

type: keyword

remote port number

auditd.data.new-seuser

type: keyword

new SELinux user

auditd.data.invalid_context

type: keyword

SELinux context

auditd.data.dmac

type: keyword

remote MAC address

auditd.data.ipx-net

type: keyword

IPX network number

auditd.data.iuid

type: keyword

ipc object’s user ID

auditd.data.macproto

type: keyword

ethernet packet type ID field

auditd.data.obj

type: keyword

lspp object context string

auditd.data.ipid

type: keyword

IP datagram fragment identifier

auditd.data.new-fs

type: keyword

file system being added to vm

auditd.data.vm-pid

type: keyword

vm’s process ID

auditd.data.cap_pi

type: keyword

process inherited capability map

auditd.data.old-auid

type: keyword

previous auid value

auditd.data.oses

type: keyword

object’s session ID

auditd.data.fd

type: keyword

file descriptor number

auditd.data.igid

type: keyword

ipc object’s group ID

auditd.data.new-disk

type: keyword

disk being added to vm

auditd.data.parent

type: keyword

the inode number of the parent file

auditd.data.len

type: keyword

length

auditd.data.oflag

type: keyword

open syscall flags

auditd.data.uuid

type: keyword

a UUID

auditd.data.code

type: keyword

seccomp action code

auditd.data.nlnk-grp

type: keyword

netlink group number

auditd.data.cap_fp

type: keyword

file permitted capability map

auditd.data.new-mem

type: keyword

new amount of memory in KB

auditd.data.seperm

type: keyword

SELinux permission being decided on

auditd.data.enforcing

type: keyword

new MAC enforcement status

auditd.data.new-chardev

type: keyword

new character device being assigned to vm

auditd.data.old-rng

type: keyword

device name of rng being removed from a vm

auditd.data.outif

type: keyword

out interface number

auditd.data.cmd

type: keyword

command being executed

auditd.data.hook

type: keyword

netfilter hook that packet came from

auditd.data.new-level

type: keyword

new run level

auditd.data.sauid

type: keyword

sent login user ID

auditd.data.sig

type: keyword

signal number

auditd.data.audit_backlog_wait_time

type: keyword

audit system’s backlog wait time

auditd.data.printer

type: keyword

printer name

auditd.data.old-mem

type: keyword

present amount of memory in KB

auditd.data.perm

type: keyword

the file permission being used

auditd.data.old_pi

type: keyword

old process inherited capability map

auditd.data.state

type: keyword

audit daemon configuration resulting state

auditd.data.format

type: keyword

audit log’s format

auditd.data.new_gid

type: keyword

new group ID being assigned

auditd.data.tcontext

type: keyword

the target’s or object’s context string

auditd.data.maj

type: keyword

device major number

auditd.data.watch

type: keyword

file name in a watch record

auditd.data.device

type: keyword

device name

auditd.data.grp

type: keyword

group name

auditd.data.bool

type: keyword

name of SELinux boolean

auditd.data.icmp_type

type: keyword

type of icmp message

auditd.data.new_lock

type: keyword

new value of feature lock

auditd.data.old_prom

type: keyword

network promiscuity flag

auditd.data.acl

type: keyword

access mode of resource assigned to vm

auditd.data.ip

type: keyword

network address of a printer

auditd.data.new_pi

type: keyword

new process inherited capability map

auditd.data.default-context

type: keyword

default MAC context

auditd.data.inode_gid

type: keyword

group ID of the inode’s owner

auditd.data.new-log_passwd

type: keyword

new value for TTY password logging

auditd.data.new_pe

type: keyword

new process effective capability map

auditd.data.selected-context

type: keyword

new MAC context assigned to session

auditd.data.cap_fver

type: keyword

file system capabilities version number

auditd.data.file

type: keyword

file name

auditd.data.net

type: keyword

network MAC address

auditd.data.virt

type: keyword

kind of virtualization being referenced

auditd.data.cap_pp

type: keyword

process permitted capability map

auditd.data.old-range

type: keyword

present SELinux range

auditd.data.resrc

type: keyword

resource being assigned

auditd.data.new-range

type: keyword

new SELinux range

auditd.data.obj_gid

type: keyword

group ID of object

auditd.data.proto

type: keyword

network protocol

auditd.data.old-disk

type: keyword

disk being removed from vm

auditd.data.audit_failure

type: keyword

audit system’s failure mode

auditd.data.inif

type: keyword

in interface number

auditd.data.vm

type: keyword

virtual machine name

auditd.data.flags

type: keyword

mmap syscall flags

auditd.data.nlnk-fam

type: keyword

netlink protocol number

auditd.data.old-fs

type: keyword

file system being removed from vm

auditd.data.old-ses

type: keyword

previous ses value

auditd.data.seqno

type: keyword

sequence number

auditd.data.fver

type: keyword

file system capabilities version number

auditd.data.qbytes

type: keyword

ipc objects quantity of bytes

auditd.data.seuser

type: keyword

user’s SE Linux user acct

auditd.data.cap_fe

type: keyword

file assigned effective capability map

auditd.data.new-vcpu

type: keyword

new number of CPU cores

auditd.data.old-level

type: keyword

old run level

auditd.data.old_pp

type: keyword

old process permitted capability map

auditd.data.daddr

type: keyword

remote IP address

auditd.data.old-role

type: keyword

present SELinux role

auditd.data.ioctlcmd

type: keyword

The request argument to the ioctl syscall

auditd.data.smac

type: keyword

local MAC address

auditd.data.apparmor

type: keyword

apparmor event information

auditd.data.fe

type: keyword

file assigned effective capability map

auditd.data.perm_mask

type: keyword

file permission mask that triggered a watch event

auditd.data.ses

type: keyword

login session ID

auditd.data.cap_fi

type: keyword

file inherited capability map

auditd.data.obj_uid

type: keyword

user ID of object

auditd.data.reason

type: keyword

text string denoting a reason for the action

auditd.data.list

type: keyword

the audit system’s filter list number

auditd.data.old_lock

type: keyword

present value of feature lock

auditd.data.bus

type: keyword

name of subsystem bus a vm resource belongs to

auditd.data.old_pe

type: keyword

old process effective capability map

auditd.data.new-role

type: keyword

new SELinux role

auditd.data.prom

type: keyword

network promiscuity flag

auditd.data.uri

type: keyword

URI pointing to a printer

auditd.data.audit_enabled

type: keyword

audit systems’s enable/disable status

auditd.data.old-log_passwd

type: keyword

present value for TTY password logging

auditd.data.old-seuser

type: keyword

present SELinux user

auditd.data.per

type: keyword

linux personality

auditd.data.scontext

type: keyword

the subject’s context string

auditd.data.tclass

type: keyword

target’s object classification

auditd.data.ver

type: keyword

audit daemon’s version number

auditd.data.new

type: keyword

value being set in feature

auditd.data.val

type: keyword

generic value associated with the operation

auditd.data.img-ctx

type: keyword

the vm’s disk image context string

auditd.data.old-chardev

type: keyword

present character device assigned to vm

auditd.data.old_val

type: keyword

current value of SELinux boolean

auditd.data.success

type: keyword

whether the syscall was successful or not

auditd.data.inode_uid

type: keyword

user ID of the inode’s owner

auditd.data.removed

type: keyword

number of deleted files

auditd.data.socket.port

type: keyword

The port number.

auditd.data.socket.saddr

type: keyword

The raw socket address structure.

auditd.data.socket.addr

type: keyword

The remote address.

auditd.data.socket.family

type: keyword

example: unix

The socket family (unix, ipv4, ipv6, netlink).

auditd.data.socket.path

type: keyword

This is the path associated with a unix socket.

auditd.messages

type: alias

alias to: event.original

An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if include_raw_message is set in the config.

auditd.warnings

type: alias

alias to: error.message

The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.

geoip fields

edit

The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.

geoip.continent_name

type: keyword

The name of the continent.

geoip.city_name

type: keyword

The name of the city.

geoip.region_name

type: keyword

The name of the region.

geoip.country_iso_code

type: keyword

Country ISO code.

geoip.location

type: geo_point

The longitude and latitude.