IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Cloud provider metadata fields Docker fields »
Elastic Docs Auditbeat Reference [7.1] Exported fields

Common fields

edit

Common fields

edit

Contains common fields available in all event types.

file fields

edit

File attributes.

file.setuid

type: boolean

example: True

Set if the file has the setuid bit set. Omitted otherwise.

file.setgid

type: boolean

example: True

Set if the file has the setgid bit set. Omitted otherwise.

file.origin

type: keyword

An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.

file.origin.raw

type: keyword

This is a non-analyzed field that is useful for aggregations on the origin data.

selinux fields

edit

The SELinux identity of the file.

file.selinux.user

type: keyword

The owner of the object.

file.selinux.role

type: keyword

The object’s SELinux role.

file.selinux.domain

type: keyword

The object’s SELinux domain or type.

file.selinux.level

type: keyword

example: s0

The object’s SELinux level.

user fields

edit

User information.

audit fields

edit

Audit user information.

user.audit.id

type: keyword

Audit user ID.

user.audit.name

type: keyword

Audit user name.

effective fields

edit

Effective user information.

user.effective.id

type: keyword

Effective user ID.

user.effective.name

type: keyword

Effective user name.

group fields

edit

Effective group information.

user.effective.group.id

type: keyword

Effective group ID.

user.effective.group.name

type: keyword

Effective group name.

filesystem fields

edit

Filesystem user information.

user.filesystem.id

type: keyword

Filesystem user ID.

user.filesystem.name

type: keyword

Filesystem user name.

group fields

edit

Filesystem group information.

user.filesystem.group.id

type: keyword

Filesystem group ID.

user.filesystem.group.name

type: keyword

Filesystem group name.

saved fields

edit

Saved user information.

user.saved.id

type: keyword

Saved user ID.

user.saved.name

type: keyword

Saved user name.

group fields

edit

Saved group information.

user.saved.group.id

type: keyword

Saved group ID.

user.saved.group.name

type: keyword

Saved group name.

« Cloud provider metadata fields Docker fields »