IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Process fields Monitor Auditbeat »
Elastic Docs Auditbeat Reference [7.6] Exported fields

System fields

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

System fields

edit

These are the fields generated by the system module.

event.origin

Origin of the event. This can be a file path (e.g. /var/log/log.1), or the name of the system component that supplied the data (e.g. netlink).

type: keyword

user.entity_id

ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.

type: keyword

user.terminal

Terminal of the user.

type: keyword

process.entity_id

ID uniquely identifying the process. It is computed as a SHA-256 hash of the host ID, PID, and process start time.

type: keyword

hash

edit

Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values.

process.hash.blake2b_256

BLAKE2b-256 hash of the executable.

type: keyword

process.hash.blake2b_384

BLAKE2b-384 hash of the executable.

type: keyword

process.hash.blake2b_512

BLAKE2b-512 hash of the executable.

type: keyword

process.hash.sha224

SHA224 hash of the executable.

type: keyword

process.hash.sha384

SHA384 hash of the executable.

type: keyword

process.hash.sha3_224

SHA3_224 hash of the executable.

type: keyword

process.hash.sha3_256

SHA3_256 hash of the executable.

type: keyword

process.hash.sha3_384

SHA3_384 hash of the executable.

type: keyword

process.hash.sha3_512

SHA3_512 hash of the executable.

type: keyword

process.hash.sha512_224

SHA512/224 hash of the executable.

type: keyword

process.hash.sha512_256

SHA512/256 hash of the executable.

type: keyword

process.hash.xxh64

XX64 hash of the executable.

type: keyword

socket.entity_id

ID uniquely identifying the socket. It is computed as a SHA-256 hash of the host ID, socket inode, local IP, local port, remote IP, and remote port.

type: keyword

system.audit

edit

host

edit

host contains general host information.

system.audit.host.uptime

Uptime in nanoseconds.

type: long

format: duration

system.audit.host.boottime

Boot time.

type: date

system.audit.host.containerized

Set if host is a container.

type: boolean

system.audit.host.timezone.name

Name of the timezone of the host, e.g. BST.

type: keyword

system.audit.host.timezone.offset.sec

Timezone offset in seconds.

type: long

system.audit.host.hostname

Hostname.

type: keyword

system.audit.host.id

Host ID.

type: keyword

system.audit.host.architecture

Host architecture (e.g. x86_64).

type: keyword

system.audit.host.mac

MAC addresses.

type: keyword

system.audit.host.ip

IP addresses.

type: ip

os

edit

os contains information about the operating system.

system.audit.host.os.codename

OS codename, if any (e.g. stretch).

type: keyword

system.audit.host.os.platform

OS platform (e.g. centos, ubuntu, windows).

type: keyword

system.audit.host.os.name

OS name (e.g. Mac OS X).

type: keyword

system.audit.host.os.family

OS family (e.g. redhat, debian, freebsd, windows).

type: keyword

system.audit.host.os.version

OS version.

type: keyword

system.audit.host.os.kernel

The operating system’s kernel version.

type: keyword

package

edit

package contains information about an installed or removed package.

system.audit.package.entity_id

ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version.

type: keyword

system.audit.package.name

Package name.

type: keyword

system.audit.package.version

Package version.

type: keyword

system.audit.package.release

Package release.

type: keyword

system.audit.package.arch

Package architecture.

type: keyword

system.audit.package.license

Package license.

type: keyword

system.audit.package.installtime

Package install time.

type: date

system.audit.package.size

Package size.

type: long

system.audit.package.summary

Package summary.

system.audit.package.url

Package URL.

type: keyword

user

edit

user contains information about the users on a system.

system.audit.user.name

User name.

type: keyword

system.audit.user.uid

User ID.

type: keyword

system.audit.user.gid

Group ID.

type: keyword

system.audit.user.dir

User’s home directory.

type: keyword

system.audit.user.shell

Program to run at login.

type: keyword

system.audit.user.user_information

General user information. On Linux, this is the gecos field.

type: keyword

system.audit.user.group

group contains information about any groups the user is part of (beyond the user’s primary group).

type: object

password

edit

password contains information about a user’s password (not the password itself).

system.audit.user.password.type

A user’s password type. Possible values are shadow_password (the password hash is in the shadow file), password_disabled, no_password (this is dangerous as anyone can log in), and crypt_password (when the password field in /etc/passwd seems to contain an encrypted password).

type: keyword

system.audit.user.password.last_changed

The day the user’s password was last changed.

type: date

« Process fields Monitor Auditbeat »