Auditd fields

edit

These are the fields generated by the auditd module.

user.auid

type: alias

alias to: user.audit.id

user.uid

type: alias

alias to: user.id

user.fsuid

type: alias

alias to: user.filesystem.id

user.suid

type: alias

alias to: user.saved.id

user.gid

type: alias

alias to: user.group.id

user.sgid

type: alias

alias to: user.saved.group.id

user.fsgid

type: alias

alias to: user.filesystem.group.id

name_map

edit

If resolve_ids is set to true in the configuration then name_map will contain a mapping of uid field names to the resolved name (e.g. auid → root).

user.name_map.auid

type: alias

alias to: user.audit.name

user.name_map.uid

type: alias

alias to: user.name

user.name_map.fsuid

type: alias

alias to: user.filesystem.name

user.name_map.suid

type: alias

alias to: user.saved.name

user.name_map.gid

type: alias

alias to: user.group.name

user.name_map.sgid

type: alias

alias to: user.saved.group.name

user.name_map.fsgid

type: alias

alias to: user.filesystem.group.name

selinux

edit

The SELinux identity of the actor.

user.selinux.user

account submitted for authentication

type: keyword

user.selinux.role

user’s SELinux role

type: keyword

user.selinux.domain

The actor’s SELinux domain or type.

type: keyword

user.selinux.level

The actor’s SELinux level.

type: keyword

example: s0

user.selinux.category

The actor’s SELinux category or compartments.

type: keyword

process

edit

Process attributes.

process.cwd

The current working directory.

type: alias

alias to: process.working_directory

source

edit

Source that triggered the event.

source.path

This is the path associated with a unix socket.

type: keyword

destination

edit

Destination address that triggered the event.

destination.path

This is the path associated with a unix socket.

type: keyword

auditd.message_type

The audit message type (e.g. syscall or apparmor_denied).

type: keyword

example: syscall

auditd.sequence

The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.

type: long

auditd.session

The session ID assigned to a login. All events related to a login session will have the same value.

type: keyword

auditd.result

The result of the audited operation (success/fail).

type: keyword

example: success or fail

actor

edit

The actor is the user that triggered the audit event.

auditd.summary.actor.primary

The primary identity of the actor. This is the actor’s original login ID. It will not change even if the user changes to another account.

type: keyword

auditd.summary.actor.secondary

The secondary identity of the actor. This is typically the same as the primary, except for when the user has used su.

type: keyword

object

edit

This is the thing or object being acted upon in the event.

auditd.summary.object.type

A description of the what the "thing" is (e.g. file, socket, user-session).

type: keyword

auditd.summary.object.primary

type: keyword

auditd.summary.object.secondary

type: keyword

auditd.summary.how

This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.

type: keyword

paths

edit

List of paths associated with the event.

auditd.paths.inode

inode number

type: keyword

auditd.paths.dev

device name as found in /dev

type: keyword

auditd.paths.obj_user

type: keyword

auditd.paths.obj_role

type: keyword

auditd.paths.obj_domain

type: keyword

auditd.paths.obj_level

type: keyword

auditd.paths.objtype

type: keyword

auditd.paths.ouid

file owner user ID

type: keyword

auditd.paths.rdev

the device identifier (special files only)

type: keyword

auditd.paths.nametype

kind of file operation being referenced

type: keyword

auditd.paths.ogid

file owner group ID

type: keyword

auditd.paths.item

which item is being recorded

type: keyword

auditd.paths.mode

mode flags on a file

type: keyword

auditd.paths.name

file name in avcs

type: keyword

data

edit

The data from the audit messages.

auditd.data.action

netfilter packet disposition

type: keyword

auditd.data.minor

device minor number

type: keyword

auditd.data.acct

a user’s account name

type: keyword

auditd.data.addr

the remote address that the user is connecting from

type: keyword

auditd.data.cipher

name of crypto cipher selected

type: keyword

auditd.data.id

during account changes

type: keyword

auditd.data.entries

number of entries in the netfilter table

type: keyword

auditd.data.kind

server or client in crypto operation

type: keyword

auditd.data.ksize

key size for crypto operation

type: keyword

auditd.data.spid

sent process ID

type: keyword

auditd.data.arch

the elf architecture flags

type: keyword

auditd.data.argc

the number of arguments to an execve syscall

type: keyword

auditd.data.major

device major number

type: keyword

auditd.data.unit

systemd unit

type: keyword

auditd.data.table

netfilter table name

type: keyword

auditd.data.terminal

terminal name the user is running programs on

type: keyword

auditd.data.grantors

pam modules approving the action

type: keyword

auditd.data.direction

direction of crypto operation

type: keyword

auditd.data.op

the operation being performed that is audited

type: keyword

auditd.data.tty

tty udevice the user is running programs on

type: keyword

auditd.data.syscall

syscall number in effect when the event occurred

type: keyword

auditd.data.data

TTY text

type: keyword

auditd.data.family

netfilter protocol

type: keyword

auditd.data.mac

crypto MAC algorithm selected

type: keyword

auditd.data.pfs

perfect forward secrecy method

type: keyword

auditd.data.items

the number of path records in the event

type: keyword

auditd.data.a0

type: keyword

auditd.data.a1

type: keyword

auditd.data.a2

type: keyword

auditd.data.a3

type: keyword

auditd.data.hostname

the hostname that the user is connecting from

type: keyword

auditd.data.lport

local network port

type: keyword

auditd.data.rport

remote port number

type: keyword

auditd.data.exit

syscall exit code

type: keyword

auditd.data.fp

crypto key finger print

type: keyword

auditd.data.laddr

local network address

type: keyword

auditd.data.sport

local port number

type: keyword

auditd.data.capability

posix capabilities

type: keyword

auditd.data.nargs

the number of arguments to a socket call

type: keyword

auditd.data.new-enabled

new TTY audit enabled setting

type: keyword

auditd.data.audit_backlog_limit

audit system’s backlog queue size

type: keyword

auditd.data.dir

directory name

type: keyword

auditd.data.cap_pe

process effective capability map

type: keyword

auditd.data.model

security model being used for virt

type: keyword

auditd.data.new_pp

new process permitted capability map

type: keyword

auditd.data.old-enabled

present TTY audit enabled setting

type: keyword

auditd.data.oauid

object’s login user ID

type: keyword

auditd.data.old

old value

type: keyword

auditd.data.banners

banners used on printed page

type: keyword

auditd.data.feature

kernel feature being changed

type: keyword

auditd.data.vm-ctx

the vm’s context string

type: keyword

auditd.data.opid

object’s process ID

type: keyword

auditd.data.seperms

SELinux permissions being used

type: keyword

auditd.data.seresult

SELinux AVC decision granted/denied

type: keyword

auditd.data.new-rng

device name of rng being added from a vm

type: keyword

auditd.data.old-net

present MAC address assigned to vm

type: keyword

auditd.data.sigev_signo

signal number

type: keyword

auditd.data.ino

inode number

type: keyword

auditd.data.old_enforcing

old MAC enforcement status

type: keyword

auditd.data.old-vcpu

present number of CPU cores

type: keyword

auditd.data.range

user’s SE Linux range

type: keyword

auditd.data.res

result of the audited operation(success/fail)

type: keyword

auditd.data.added

number of new files detected

type: keyword

auditd.data.fam

socket address family

type: keyword

auditd.data.nlnk-pid

pid of netlink packet sender

type: keyword

auditd.data.subj

lspp subject’s context string

type: keyword

auditd.data.a[0-3]

the arguments to a syscall

type: keyword

auditd.data.cgroup

path to cgroup in sysfs

type: keyword

auditd.data.kernel

kernel’s version number

type: keyword

auditd.data.ocomm

object’s command line name

type: keyword

auditd.data.new-net

MAC address being assigned to vm

type: keyword

auditd.data.permissive

SELinux is in permissive mode

type: keyword

auditd.data.class

resource class assigned to vm

type: keyword

auditd.data.compat

is_compat_task result

type: keyword

auditd.data.fi

file assigned inherited capability map

type: keyword

auditd.data.changed

number of changed files

type: keyword

auditd.data.msg

the payload of the audit record

type: keyword

auditd.data.dport

remote port number

type: keyword

auditd.data.new-seuser

new SELinux user

type: keyword

auditd.data.invalid_context

SELinux context

type: keyword

auditd.data.dmac

remote MAC address

type: keyword

auditd.data.ipx-net

IPX network number

type: keyword

auditd.data.iuid

ipc object’s user ID

type: keyword

auditd.data.macproto

ethernet packet type ID field

type: keyword

auditd.data.obj

lspp object context string

type: keyword

auditd.data.ipid

IP datagram fragment identifier

type: keyword

auditd.data.new-fs

file system being added to vm

type: keyword

auditd.data.vm-pid

vm’s process ID

type: keyword

auditd.data.cap_pi

process inherited capability map

type: keyword

auditd.data.old-auid

previous auid value

type: keyword

auditd.data.oses

object’s session ID

type: keyword

auditd.data.fd

file descriptor number

type: keyword

auditd.data.igid

ipc object’s group ID

type: keyword

auditd.data.new-disk

disk being added to vm

type: keyword

auditd.data.parent

the inode number of the parent file

type: keyword

auditd.data.len

length

type: keyword

auditd.data.oflag

open syscall flags

type: keyword

auditd.data.uuid

a UUID

type: keyword

auditd.data.code

seccomp action code

type: keyword

auditd.data.nlnk-grp

netlink group number

type: keyword

auditd.data.cap_fp

file permitted capability map

type: keyword

auditd.data.new-mem

new amount of memory in KB

type: keyword

auditd.data.seperm

SELinux permission being decided on

type: keyword

auditd.data.enforcing

new MAC enforcement status

type: keyword

auditd.data.new-chardev

new character device being assigned to vm

type: keyword

auditd.data.old-rng

device name of rng being removed from a vm

type: keyword

auditd.data.outif

out interface number

type: keyword

auditd.data.cmd

command being executed

type: keyword

auditd.data.hook

netfilter hook that packet came from

type: keyword

auditd.data.new-level

new run level

type: keyword

auditd.data.sauid

sent login user ID

type: keyword

auditd.data.sig

signal number

type: keyword

auditd.data.audit_backlog_wait_time

audit system’s backlog wait time

type: keyword

auditd.data.printer

printer name

type: keyword

auditd.data.old-mem

present amount of memory in KB

type: keyword

auditd.data.perm

the file permission being used

type: keyword

auditd.data.old_pi

old process inherited capability map

type: keyword

auditd.data.state

audit daemon configuration resulting state

type: keyword

auditd.data.format

audit log’s format

type: keyword

auditd.data.new_gid

new group ID being assigned

type: keyword

auditd.data.tcontext

the target’s or object’s context string

type: keyword

auditd.data.maj

device major number

type: keyword

auditd.data.watch

file name in a watch record

type: keyword

auditd.data.device

device name

type: keyword

auditd.data.grp

group name

type: keyword

auditd.data.bool

name of SELinux boolean

type: keyword

auditd.data.icmp_type

type of icmp message

type: keyword

auditd.data.new_lock

new value of feature lock

type: keyword

auditd.data.old_prom

network promiscuity flag

type: keyword

auditd.data.acl

access mode of resource assigned to vm

type: keyword

auditd.data.ip

network address of a printer

type: keyword

auditd.data.new_pi

new process inherited capability map

type: keyword

auditd.data.default-context

default MAC context

type: keyword

auditd.data.inode_gid

group ID of the inode’s owner

type: keyword

auditd.data.new-log_passwd

new value for TTY password logging

type: keyword

auditd.data.new_pe

new process effective capability map

type: keyword

auditd.data.selected-context

new MAC context assigned to session

type: keyword

auditd.data.cap_fver

file system capabilities version number

type: keyword

auditd.data.file

file name

type: keyword

auditd.data.net

network MAC address

type: keyword

auditd.data.virt

kind of virtualization being referenced

type: keyword

auditd.data.cap_pp

process permitted capability map

type: keyword

auditd.data.old-range

present SELinux range

type: keyword

auditd.data.resrc

resource being assigned

type: keyword

auditd.data.new-range

new SELinux range

type: keyword

auditd.data.obj_gid

group ID of object

type: keyword

auditd.data.proto

network protocol

type: keyword

auditd.data.old-disk

disk being removed from vm

type: keyword

auditd.data.audit_failure

audit system’s failure mode

type: keyword

auditd.data.inif

in interface number

type: keyword

auditd.data.vm

virtual machine name

type: keyword

auditd.data.flags

mmap syscall flags

type: keyword

auditd.data.nlnk-fam

netlink protocol number

type: keyword

auditd.data.old-fs

file system being removed from vm

type: keyword

auditd.data.old-ses

previous ses value

type: keyword

auditd.data.seqno

sequence number

type: keyword

auditd.data.fver

file system capabilities version number

type: keyword

auditd.data.qbytes

ipc objects quantity of bytes

type: keyword

auditd.data.seuser

user’s SE Linux user acct

type: keyword

auditd.data.cap_fe

file assigned effective capability map

type: keyword

auditd.data.new-vcpu

new number of CPU cores

type: keyword

auditd.data.old-level

old run level

type: keyword

auditd.data.old_pp

old process permitted capability map

type: keyword

auditd.data.daddr

remote IP address

type: keyword

auditd.data.old-role

present SELinux role

type: keyword

auditd.data.ioctlcmd

The request argument to the ioctl syscall

type: keyword

auditd.data.smac

local MAC address

type: keyword

auditd.data.apparmor

apparmor event information

type: keyword

auditd.data.fe

file assigned effective capability map

type: keyword

auditd.data.perm_mask

file permission mask that triggered a watch event

type: keyword

auditd.data.ses

login session ID

type: keyword

auditd.data.cap_fi

file inherited capability map

type: keyword

auditd.data.obj_uid

user ID of object

type: keyword

auditd.data.reason

text string denoting a reason for the action

type: keyword

auditd.data.list

the audit system’s filter list number

type: keyword

auditd.data.old_lock

present value of feature lock

type: keyword

auditd.data.bus

name of subsystem bus a vm resource belongs to

type: keyword

auditd.data.old_pe

old process effective capability map

type: keyword

auditd.data.new-role

new SELinux role

type: keyword

auditd.data.prom

network promiscuity flag

type: keyword

auditd.data.uri

URI pointing to a printer

type: keyword

auditd.data.audit_enabled

audit systems’s enable/disable status

type: keyword

auditd.data.old-log_passwd

present value for TTY password logging

type: keyword

auditd.data.old-seuser

present SELinux user

type: keyword

auditd.data.per

linux personality

type: keyword

auditd.data.scontext

the subject’s context string

type: keyword

auditd.data.tclass

target’s object classification

type: keyword

auditd.data.ver

audit daemon’s version number

type: keyword

auditd.data.new

value being set in feature

type: keyword

auditd.data.val

generic value associated with the operation

type: keyword

auditd.data.img-ctx

the vm’s disk image context string

type: keyword

auditd.data.old-chardev

present character device assigned to vm

type: keyword

auditd.data.old_val

current value of SELinux boolean

type: keyword

auditd.data.success

whether the syscall was successful or not

type: keyword

auditd.data.inode_uid

user ID of the inode’s owner

type: keyword

auditd.data.removed

number of deleted files

type: keyword

auditd.data.socket.port

The port number.

type: keyword

auditd.data.socket.saddr

The raw socket address structure.

type: keyword

auditd.data.socket.addr

The remote address.

type: keyword

auditd.data.socket.family

The socket family (unix, ipv4, ipv6, netlink).

type: keyword

example: unix

auditd.data.socket.path

This is the path associated with a unix socket.

type: keyword

auditd.messages

An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if include_raw_message is set in the config.

type: alias

alias to: event.original

auditd.warnings

The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.

type: alias

alias to: error.message

geoip

edit

The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or an Elasticsearch geoip ingest processor.

geoip.continent_name

The name of the continent.

type: keyword

geoip.city_name

The name of the city.

type: keyword

geoip.region_name

The name of the region.

type: keyword

geoip.country_iso_code

Country ISO code.

type: keyword

geoip.location

The longitude and latitude.

type: geo_point