-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
fields.yml
868 lines (859 loc) · 25.4 KB
/
fields.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
- key: auditd
title: Auditd
description: These are the fields generated by the auditd module.
fields:
- name: user
type: group
fields:
- name: auid
type: keyword
description: login user ID
- name: uid
type: keyword
description: user ID
- name: euid
type: keyword
description: effective user ID
- name: fsuid
type: keyword
description: file system user ID
- name: suid
type: keyword
description: sent user ID
- name: gid
type: keyword
description: group ID
- name: egid
type: keyword
description: effective group ID
- name: sgid
type: keyword
description: set group ID
- name: fsgid
type: keyword
description: file system group ID
- name: name_map
type: group
description: >
If `resolve_ids` is set to true in the configuration then `name_map`
will contain a mapping of uid field names to the resolved name
(e.g. auid -> root).
fields:
- name: auid
type: keyword
description: login user name
- name: uid
type: keyword
description: user name
- name: euid
type: keyword
description: effective user name
- name: fsuid
type: keyword
description: file system user name
- name: suid
type: keyword
description: sent user name
- name: gid
type: keyword
description: group name
- name: egid
type: keyword
description: effective group name
- name: sgid
type: keyword
description: set group name
- name: fsgid
type: keyword
description: file system group name
- name: selinux
type: group
description: The SELinux identity of the actor.
fields:
- name: user
type: keyword
description: account submitted for authentication
- name: role
type: keyword
description: user's SELinux role
- name: domain
type: keyword
description: The actor's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The actor's SELinux level.
- name: category
type: keyword
description: The actor's SELinux category or compartments.
- name: process
type: group
description: Process attributes.
fields:
- name: cwd
type: keyword
description: The current working directory.
- name: source
type: group
description: Source that triggered the event.
fields:
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: destination
type: group
description: Destination address that triggered the event.
fields:
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: auditd
type: group
fields:
- name: sequence
type: long
description: >
The sequence number of the event as assigned by the kernel. Sequence
numbers are stored as a uint32 in the kernel and can rollover.
- name: session
type: keyword
description: >
The session ID assigned to a login. All events related to a login
session will have the same value.
- name: result
type: keyword
example: success or fail
description: The result of the audited operation (success/fail).
- name: summary
type: group
fields:
- name: actor
type: group
description: The actor is the user that triggered the audit event.
fields:
- name: primary
type: keyword
description: >
The primary identity of the actor. This is the actor's original login
ID. It will not change even if the user changes to another account.
- name: secondary
type: keyword
description: The secondary identity of the actor. This is typically
the same as the primary, except for when the user has used `su`.
- name: object
type: group
description: >
This is the thing or object being acted upon in the event.
fields:
- name: type
type: keyword
description: >
A description of the what the "thing" is (e.g. file, socket,
user-session).
- name: primary
type: keyword
description: ""
- name: secondary
type: keyword
description: ""
- name: how
type: keyword
description: >
This describes how the action was performed. Usually this is the exe
or command that was being executed that triggered the event.
- name: paths
type: group
description: List of paths associated with the event.
fields:
- name: inode
type: keyword
description: inode number
- name: dev
type: keyword
description: device name as found in /dev
- name: obj_user
type: keyword
description: ""
- name: obj_role
type: keyword
description: ""
- name: obj_domain
type: keyword
description: ""
- name: obj_level
type: keyword
description: ""
- name: objtype
type: keyword
description: ""
- name: ouid
type: keyword
description: file owner user ID
- name: rdev
type: keyword
description: the device identifier (special files only)
- name: nametype
type: keyword
description: kind of file operation being referenced
- name: ogid
type: keyword
description: file owner group ID
- name: item
type: keyword
description: which item is being recorded
- name: mode
type: keyword
description: mode flags on a file
- name: name
type: keyword
description: file name in avcs
- name: data
type: group
description: The data from the audit messages.
fields:
- name: action
type: keyword
description: netfilter packet disposition
- name: minor
type: keyword
description: device minor number
- name: acct
type: keyword
description: a user's account name
- name: addr
type: keyword
description: the remote address that the user is connecting from
- name: cipher
type: keyword
description: name of crypto cipher selected
- name: id
type: keyword
description: during account changes
- name: entries
type: keyword
description: number of entries in the netfilter table
- name: kind
type: keyword
description: server or client in crypto operation
- name: ksize
type: keyword
description: key size for crypto operation
- name: spid
type: keyword
description: sent process ID
- name: arch
type: keyword
description: the elf architecture flags
- name: argc
type: keyword
description: the number of arguments to an execve syscall
- name: major
type: keyword
description: device major number
- name: unit
type: keyword
description: systemd unit
- name: table
type: keyword
description: netfilter table name
- name: terminal
type: keyword
description: terminal name the user is running programs on
- name: grantors
type: keyword
description: pam modules approving the action
- name: direction
type: keyword
description: direction of crypto operation
- name: op
type: keyword
description: the operation being performed that is audited
- name: tty
type: keyword
description: tty udevice the user is running programs on
- name: syscall
type: keyword
description: syscall number in effect when the event occurred
- name: data
type: keyword
description: TTY text
- name: family
type: keyword
description: netfilter protocol
- name: mac
type: keyword
description: crypto MAC algorithm selected
- name: pfs
type: keyword
description: perfect forward secrecy method
- name: items
type: keyword
description: the number of path records in the event
- name: a0
type: keyword
description: ""
- name: a1
type: keyword
description: ""
- name: a2
type: keyword
description: ""
- name: a3
type: keyword
description: ""
- name: hostname
type: keyword
description: the hostname that the user is connecting from
- name: lport
type: keyword
description: local network port
- name: rport
type: keyword
description: remote port number
- name: exit
type: keyword
description: syscall exit code
- name: fp
type: keyword
description: crypto key finger print
- name: laddr
type: keyword
description: local network address
- name: sport
type: keyword
description: local port number
- name: capability
type: keyword
description: posix capabilities
- name: nargs
type: keyword
description: the number of arguments to a socket call
- name: new-enabled
type: keyword
description: new TTY audit enabled setting
- name: audit_backlog_limit
type: keyword
description: audit system's backlog queue size
- name: dir
type: keyword
description: directory name
- name: cap_pe
type: keyword
description: process effective capability map
- name: model
type: keyword
description: security model being used for virt
- name: new_pp
type: keyword
description: new process permitted capability map
- name: old-enabled
type: keyword
description: present TTY audit enabled setting
- name: oauid
type: keyword
description: object's login user ID
- name: old
type: keyword
description: old value
- name: banners
type: keyword
description: banners used on printed page
- name: feature
type: keyword
description: kernel feature being changed
- name: vm-ctx
type: keyword
description: the vm's context string
- name: opid
type: keyword
description: object's process ID
- name: seperms
type: keyword
description: SELinux permissions being used
- name: seresult
type: keyword
description: SELinux AVC decision granted/denied
- name: new-rng
type: keyword
description: device name of rng being added from a vm
- name: old-net
type: keyword
description: present MAC address assigned to vm
- name: sigev_signo
type: keyword
description: signal number
- name: ino
type: keyword
description: inode number
- name: old_enforcing
type: keyword
description: old MAC enforcement status
- name: old-vcpu
type: keyword
description: present number of CPU cores
- name: range
type: keyword
description: user's SE Linux range
- name: res
type: keyword
description: result of the audited operation(success/fail)
- name: added
type: keyword
description: number of new files detected
- name: fam
type: keyword
description: socket address family
- name: nlnk-pid
type: keyword
description: pid of netlink packet sender
- name: subj
type: keyword
description: lspp subject's context string
- name: a[0-3]
type: keyword
description: the arguments to a syscall
- name: cgroup
type: keyword
description: path to cgroup in sysfs
- name: kernel
type: keyword
description: kernel's version number
- name: ocomm
type: keyword
description: object's command line name
- name: new-net
type: keyword
description: MAC address being assigned to vm
- name: permissive
type: keyword
description: SELinux is in permissive mode
- name: class
type: keyword
description: resource class assigned to vm
- name: compat
type: keyword
description: is_compat_task result
- name: fi
type: keyword
description: file assigned inherited capability map
- name: changed
type: keyword
description: number of changed files
- name: msg
type: keyword
description: the payload of the audit record
- name: dport
type: keyword
description: remote port number
- name: new-seuser
type: keyword
description: new SELinux user
- name: invalid_context
type: keyword
description: SELinux context
- name: dmac
type: keyword
description: remote MAC address
- name: ipx-net
type: keyword
description: IPX network number
- name: iuid
type: keyword
description: ipc object's user ID
- name: macproto
type: keyword
description: ethernet packet type ID field
- name: obj
type: keyword
description: lspp object context string
- name: ipid
type: keyword
description: IP datagram fragment identifier
- name: new-fs
type: keyword
description: file system being added to vm
- name: vm-pid
type: keyword
description: vm's process ID
- name: cap_pi
type: keyword
description: process inherited capability map
- name: old-auid
type: keyword
description: previous auid value
- name: oses
type: keyword
description: object's session ID
- name: fd
type: keyword
description: file descriptor number
- name: igid
type: keyword
description: ipc object's group ID
- name: new-disk
type: keyword
description: disk being added to vm
- name: parent
type: keyword
description: the inode number of the parent file
- name: len
type: keyword
description: length
- name: oflag
type: keyword
description: open syscall flags
- name: uuid
type: keyword
description: a UUID
- name: code
type: keyword
description: seccomp action code
- name: nlnk-grp
type: keyword
description: netlink group number
- name: cap_fp
type: keyword
description: file permitted capability map
- name: new-mem
type: keyword
description: new amount of memory in KB
- name: seperm
type: keyword
description: SELinux permission being decided on
- name: enforcing
type: keyword
description: new MAC enforcement status
- name: new-chardev
type: keyword
description: new character device being assigned to vm
- name: old-rng
type: keyword
description: device name of rng being removed from a vm
- name: outif
type: keyword
description: out interface number
- name: cmd
type: keyword
description: command being executed
- name: hook
type: keyword
description: netfilter hook that packet came from
- name: new-level
type: keyword
description: new run level
- name: sauid
type: keyword
description: sent login user ID
- name: sig
type: keyword
description: signal number
- name: audit_backlog_wait_time
type: keyword
description: audit system's backlog wait time
- name: printer
type: keyword
description: printer name
- name: old-mem
type: keyword
description: present amount of memory in KB
- name: perm
type: keyword
description: the file permission being used
- name: old_pi
type: keyword
description: old process inherited capability map
- name: state
type: keyword
description: audit daemon configuration resulting state
- name: format
type: keyword
description: audit log's format
- name: new_gid
type: keyword
description: new group ID being assigned
- name: tcontext
type: keyword
description: the target's or object's context string
- name: maj
type: keyword
description: device major number
- name: watch
type: keyword
description: file name in a watch record
- name: device
type: keyword
description: device name
- name: grp
type: keyword
description: group name
- name: bool
type: keyword
description: name of SELinux boolean
- name: icmp_type
type: keyword
description: type of icmp message
- name: new_lock
type: keyword
description: new value of feature lock
- name: old_prom
type: keyword
description: network promiscuity flag
- name: acl
type: keyword
description: access mode of resource assigned to vm
- name: ip
type: keyword
description: network address of a printer
- name: new_pi
type: keyword
description: new process inherited capability map
- name: default-context
type: keyword
description: default MAC context
- name: inode_gid
type: keyword
description: group ID of the inode's owner
- name: new-log_passwd
type: keyword
description: new value for TTY password logging
- name: new_pe
type: keyword
description: new process effective capability map
- name: selected-context
type: keyword
description: new MAC context assigned to session
- name: cap_fver
type: keyword
description: file system capabilities version number
- name: file
type: keyword
description: file name
- name: net
type: keyword
description: network MAC address
- name: virt
type: keyword
description: kind of virtualization being referenced
- name: cap_pp
type: keyword
description: process permitted capability map
- name: old-range
type: keyword
description: present SELinux range
- name: resrc
type: keyword
description: resource being assigned
- name: new-range
type: keyword
description: new SELinux range
- name: obj_gid
type: keyword
description: group ID of object
- name: proto
type: keyword
description: network protocol
- name: old-disk
type: keyword
description: disk being removed from vm
- name: audit_failure
type: keyword
description: audit system's failure mode
- name: inif
type: keyword
description: in interface number
- name: vm
type: keyword
description: virtual machine name
- name: flags
type: keyword
description: mmap syscall flags
- name: nlnk-fam
type: keyword
description: netlink protocol number
- name: old-fs
type: keyword
description: file system being removed from vm
- name: old-ses
type: keyword
description: previous ses value
- name: seqno
type: keyword
description: sequence number
- name: fver
type: keyword
description: file system capabilities version number
- name: qbytes
type: keyword
description: ipc objects quantity of bytes
- name: seuser
type: keyword
description: user's SE Linux user acct
- name: cap_fe
type: keyword
description: file assigned effective capability map
- name: new-vcpu
type: keyword
description: new number of CPU cores
- name: old-level
type: keyword
description: old run level
- name: old_pp
type: keyword
description: old process permitted capability map
- name: daddr
type: keyword
description: remote IP address
- name: old-role
type: keyword
description: present SELinux role
- name: ioctlcmd
type: keyword
description: The request argument to the ioctl syscall
- name: smac
type: keyword
description: local MAC address
- name: apparmor
type: keyword
description: apparmor event information
- name: fe
type: keyword
description: file assigned effective capability map
- name: perm_mask
type: keyword
description: file permission mask that triggered a watch event
- name: ses
type: keyword
description: login session ID
- name: cap_fi
type: keyword
description: file inherited capability map
- name: obj_uid
type: keyword
description: user ID of object
- name: reason
type: keyword
description: text string denoting a reason for the action
- name: list
type: keyword
description: the audit system's filter list number
- name: old_lock
type: keyword
description: present value of feature lock
- name: bus
type: keyword
description: name of subsystem bus a vm resource belongs to
- name: old_pe
type: keyword
description: old process effective capability map
- name: new-role
type: keyword
description: new SELinux role
- name: prom
type: keyword
description: network promiscuity flag
- name: uri
type: keyword
description: URI pointing to a printer
- name: audit_enabled
type: keyword
description: audit systems's enable/disable status
- name: old-log_passwd
type: keyword
description: present value for TTY password logging
- name: old-seuser
type: keyword
description: present SELinux user
- name: per
type: keyword
description: linux personality
- name: scontext
type: keyword
description: the subject's context string
- name: tclass
type: keyword
description: target's object classification
- name: ver
type: keyword
description: audit daemon's version number
- name: new
type: keyword
description: value being set in feature
- name: val
type: keyword
description: generic value associated with the operation
- name: img-ctx
type: keyword
description: the vm's disk image context string
- name: old-chardev
type: keyword
description: present character device assigned to vm
- name: old_val
type: keyword
description: current value of SELinux boolean
- name: success
type: keyword
description: whether the syscall was successful or not
- name: inode_uid
type: keyword
description: user ID of the inode's owner
- name: removed
type: keyword
description: number of deleted files
- name: socket
type: group
fields:
- name: port
type: keyword
description: The port number.
- name: saddr
type: keyword
description: The raw socket address structure.
- name: addr
type: keyword
description: The remote address.
- name: family
type: keyword
example: unix
description: The socket family (unix, ipv4, ipv6, netlink).
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: messages
type: text
description: >
An ordered list of the raw messages received from the kernel that
were used to construct this document. This field is present if an error
occurred processing the data or if `include_raw_message` is set
in the config.
- name: warnings
type: keyword
description: >
The warnings generated by the Beat during the construction of the event.
These are disabled by default and are used for development and debug
purposes only.
- name: geoip
type: group
description: >
The geoip fields are defined as a convenience in case you decide to
enrich the data using a geoip filter in Logstash or Ingest Node.
fields:
- name: continent_name
type: keyword
description: >
The name of the continent.
- name: city_name
type: keyword
description: >
The name of the city.
- name: region_name
type: keyword
description: >
The name of the region.
- name: country_iso_code
type: keyword
description: >
Country ISO code.
- name: location
type: geo_point
description: >
The longitude and latitude.