- Auditbeat Reference: other versions:
- Auditbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Auditbeat
- Configure
- Modules
- General settings
- Project paths
- Config file reloading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- rate_limit
- registered_domain
- rename
- syslog
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- auditbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Common problems
- Auditbeat fails to watch folders because too many files are open
- Auditbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Contribute to Beats
These are the fields generated by the system module.
-
event.origin -
Origin of the event. This can be a file path (e.g.
/var/log/log.1), or the name of the system component that supplied the data (e.g.netlink).type: keyword
-
user.entity_id -
ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.
type: keyword
-
user.terminal -
Terminal of the user.
type: keyword
Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values.
-
process.hash.blake2b_256 -
BLAKE2b-256 hash of the executable.
type: keyword
-
process.hash.blake2b_384 -
BLAKE2b-384 hash of the executable.
type: keyword
-
process.hash.blake2b_512 -
BLAKE2b-512 hash of the executable.
type: keyword
-
process.hash.sha224 -
SHA224 hash of the executable.
type: keyword
-
process.hash.sha384 -
SHA384 hash of the executable.
type: keyword
-
process.hash.sha3_224 -
SHA3_224 hash of the executable.
type: keyword
-
process.hash.sha3_256 -
SHA3_256 hash of the executable.
type: keyword
-
process.hash.sha3_384 -
SHA3_384 hash of the executable.
type: keyword
-
process.hash.sha3_512 -
SHA3_512 hash of the executable.
type: keyword
-
process.hash.sha512_224 -
SHA512/224 hash of the executable.
type: keyword
-
process.hash.sha512_256 -
SHA512/256 hash of the executable.
type: keyword
-
process.hash.xxh64 -
XX64 hash of the executable.
type: keyword
host contains general host information.
-
system.audit.host.uptime -
Uptime in nanoseconds.
type: long
format: duration
-
system.audit.host.boottime -
Boot time.
type: date
-
system.audit.host.containerized -
Set if host is a container.
type: boolean
-
system.audit.host.timezone.name -
Name of the timezone of the host, e.g. BST.
type: keyword
-
system.audit.host.timezone.offset.sec -
Timezone offset in seconds.
type: long
-
system.audit.host.hostname -
Hostname.
type: keyword
-
system.audit.host.id -
Host ID.
type: keyword
-
system.audit.host.architecture -
Host architecture (e.g. x86_64).
type: keyword
-
system.audit.host.mac -
MAC addresses.
type: keyword
-
system.audit.host.ip -
IP addresses.
type: ip
os contains information about the operating system.
-
system.audit.host.os.codename -
OS codename, if any (e.g. stretch).
type: keyword
-
system.audit.host.os.platform -
OS platform (e.g. centos, ubuntu, windows).
type: keyword
-
system.audit.host.os.name -
OS name (e.g. Mac OS X).
type: keyword
-
system.audit.host.os.family -
OS family (e.g. redhat, debian, freebsd, windows).
type: keyword
-
system.audit.host.os.version -
OS version.
type: keyword
-
system.audit.host.os.kernel -
The operating system’s kernel version.
type: keyword
-
system.audit.host.os.type -
OS type (see ECS os.type).
type: keyword
package contains information about an installed or removed package.
-
system.audit.package.entity_id -
ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version.
type: keyword
-
system.audit.package.name -
Package name.
type: keyword
-
system.audit.package.version -
Package version.
type: keyword
-
system.audit.package.release -
Package release.
type: keyword
-
system.audit.package.arch -
Package architecture.
type: keyword
-
system.audit.package.license -
Package license.
type: keyword
-
system.audit.package.installtime -
Package install time.
type: date
-
system.audit.package.size -
Package size.
type: long
-
system.audit.package.summary -
Package summary.
-
system.audit.package.url -
Package URL.
type: keyword
user contains information about the users on a system.
-
system.audit.user.name -
User name.
type: keyword
-
system.audit.user.uid -
User ID.
type: keyword
-
system.audit.user.gid -
Group ID.
type: keyword
-
system.audit.user.dir -
User’s home directory.
type: keyword
-
system.audit.user.shell -
Program to run at login.
type: keyword
-
system.audit.user.user_information -
General user information. On Linux, this is the gecos field.
type: keyword
-
system.audit.user.group -
groupcontains information about any groups the user is part of (beyond the user’s primary group).type: object
password contains information about a user’s password (not the password itself).
-
system.audit.user.password.type -
A user’s password type. Possible values are
shadow_password(the password hash is in the shadow file),password_disabled,no_password(this is dangerous as anyone can log in), andcrypt_password(when the password field in /etc/passwd seems to contain an encrypted password).type: keyword
-
system.audit.user.password.last_changed -
The day the user’s password was last changed.
type: date