- Auditbeat Reference: other versions:
- Overview
- Getting started with Auditbeat
- Setting up and running Auditbeat
- Upgrading Auditbeat
- Configuring Auditbeat
- Specify which modules to run
- Specify general settings
- Reload the configuration dynamically
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode JSON fields
- Decode Base64 fields
- Decompress gzip fields
- Community ID Network Flow Hash
- Convert
- Drop events
- Drop fields from events
- Extract array
- Keep fields from events
- Registered Domain
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Add Observer metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure project paths
- Configure the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- auditbeat.reference.yml
- Modules
- Exported fields
- Monitoring Auditbeat
- Securing Auditbeat
- Troubleshooting
- Get Help
- Debug
- Common problems
- Auditbeat fails to watch folders because too many files are open
- Auditbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Contributing to Beats
Common fields
editCommon fields
editContains common fields available in all event types.
file
editFile attributes.
-
file.setuid -
Set if the file has the
setuidbit set. Omitted otherwise.type: boolean
example: True
-
file.setgid -
Set if the file has the
setgidbit set. Omitted otherwise.type: boolean
example: True
-
file.origin -
An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
type: keyword
-
file.origin.raw -
This is a non-analyzed field that is useful for aggregations on the origin data.
type: keyword
selinux
editThe SELinux identity of the file.
-
file.selinux.user -
The owner of the object.
type: keyword
-
file.selinux.role -
The object’s SELinux role.
type: keyword
-
file.selinux.domain -
The object’s SELinux domain or type.
type: keyword
-
file.selinux.level -
The object’s SELinux level.
type: keyword
example: s0
user
editUser information.
audit
editAudit user information.
-
user.audit.id -
Audit user ID.
type: keyword
-
user.audit.name -
Audit user name.
type: keyword
effective
editEffective user information.
-
user.effective.id -
Effective user ID.
type: keyword
-
user.effective.name -
Effective user name.
type: keyword
group
editEffective group information.
-
user.effective.group.id -
Effective group ID.
type: keyword
-
user.effective.group.name -
Effective group name.
type: keyword
filesystem
editFilesystem user information.
-
user.filesystem.id -
Filesystem user ID.
type: keyword
-
user.filesystem.name -
Filesystem user name.
type: keyword
group
editFilesystem group information.
-
user.filesystem.group.id -
Filesystem group ID.
type: keyword
-
user.filesystem.group.name -
Filesystem group name.
type: keyword
saved
editSaved user information.
-
user.saved.id -
Saved user ID.
type: keyword
-
user.saved.name -
Saved user name.
type: keyword
group
editSaved group information.
-
user.saved.group.id -
Saved group ID.
type: keyword
-
user.saved.group.name -
Saved group name.
type: keyword