Auditd Fields

Module for parsing auditd logs.

Fields from the auditd logs.

Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type.

The audit event type.

For login events this is the old audit ID used for the user prior to this login.

For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).

For login events this is the old session ID used for the user prior to this login.

For login events this is the new session ID. It can be used to tie a user to future events by session ID.

type: long

The audit event sequence number.

The user account name associated with the event.

The ID of the process.

The ID of the process.

The number of items in an event.

The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.

The first argument to the system call.

The result of the system call (success or failure).

Contains GeoIP information gathered based on the auditd.log.addr field. Only present if the GeoIP Elasticsearch plugin is available and used.

type: keyword

The name of the continent.

type: keyword

The name of the city.

type: keyword

The name of the region.

type: keyword

Country ISO code.

type: geo_point

The longitude and latitude.