From b45465a23b9e92ca5477dfc24d3a3ce60ee0f36f Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Mon, 28 Jan 2019 22:30:14 -0500 Subject: [PATCH] Fix big mistake: module's main fields def must end with opening of the field group --- filebeat/docs/fields.asciidoc | 2768 ++++++++++++----------- filebeat/filebeat.reference.yml | 2 +- filebeat/module/auditd/_meta/fields.yml | 24 +- filebeat/module/auditd/fields.go | 2 +- 4 files changed, 1412 insertions(+), 1384 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index d42f99c8af6..bc01e44f450 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -414,392 +414,782 @@ Module for parsing auditd logs. Fields from the auditd logs. -[[exported-fields-beat]] -== Beat fields -Contains common beat fields available in all event types. +[float] +== log fields + +Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type. -*`beat.timezone`*:: +*`auditd.log.old_auid`*:: + -- -type: alias +For login events this is the old audit ID used for the user prior to this login. -alias to: event.timezone -- -*`fields`*:: +*`auditd.log.new_auid`*:: + -- -type: object +For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root). -Contains user configurable fields. +-- +*`auditd.log.old_ses`*:: ++ -- +For login events this is the old session ID used for the user prior to this login. -[float] -== error fields -Error fields containing additional info in case of errors. +-- + +*`auditd.log.new_ses`*:: ++ +-- +For login events this is the new session ID. It can be used to tie a user to future events by session ID. +-- -*`error.type`*:: +*`auditd.log.sequence`*:: + -- -type: keyword +type: long -Error type. +The audit event sequence number. -- -*`beat.name`*:: +*`auditd.log.items`*:: + -- -type: alias +The number of items in an event. -alias to: host.name -- -*`beat.hostname`*:: +*`auditd.log.item`*:: + -- -type: alias +The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item. -alias to: agent.hostname -- -[[exported-fields-cloud]] -== Cloud provider metadata fields - -Metadata from cloud providers added by the add_cloud_metadata processor. +*`auditd.log.a0`*:: ++ +-- +The first argument to the system call. +-- -*`cloud.project.id`*:: +*`auditd.log.acct`*:: + -- -example: project-x - -Name of the project in Google Cloud. +type: alias +alias to: user.name -- -*`meta.cloud.provider`*:: +*`auditd.log.pid`*:: + -- type: alias -alias to: cloud.provider +alias to: process.pid -- -*`meta.cloud.instance_id`*:: +*`auditd.log.ppid`*:: + -- type: alias -alias to: cloud.instance.id +alias to: process.ppid -- -*`meta.cloud.instance_name`*:: +*`auditd.log.res`*:: + -- type: alias -alias to: cloud.instance.name +alias to: event.outcome -- -*`meta.cloud.machine_type`*:: +*`auditd.log.record_type`*:: + -- type: alias -alias to: cloud.machine.type +alias to: event.action -- -*`meta.cloud.availability_zone`*:: + +*`auditd.log.geoip.continent_name`*:: + -- type: alias -alias to: cloud.availability_zone +alias to: source.geo.continent_name -- -*`meta.cloud.project_id`*:: +*`auditd.log.geoip.country_iso_code`*:: + -- type: alias -alias to: cloud.project.id +alias to: source.geo.country_iso_code -- -*`meta.cloud.region`*:: +*`auditd.log.geoip.location`*:: + -- type: alias -alias to: cloud.region +alias to: source.geo.location -- -[[exported-fields-docker-processor]] -== Docker fields - -Docker stats collected from Docker. - +*`auditd.log.geoip.region_name`*:: ++ +-- +type: alias +alias to: source.geo.region_name +-- -*`docker.container.id`*:: +*`auditd.log.geoip.city_name`*:: + -- type: alias -alias to: container.id +alias to: source.geo.city_name -- -*`docker.container.image`*:: +*`auditd.log.geoip.region_iso_code`*:: + -- type: alias -alias to: container.image.name +alias to: source.geo.region_iso_code -- -*`docker.container.name`*:: +*`auditd.log.arch`*:: + -- type: alias -alias to: container.name +alias to: host.architecture -- -*`docker.container.labels`*:: +*`auditd.log.gid`*:: + -- -type: object - -Image labels. +type: alias +alias to: user.group.id -- -[[exported-fields-ecs]] -== ECS fields - -ECS fields. +*`auditd.log.uid`*:: ++ +-- +type: alias +alias to: user.id +-- -*`@timestamp`*:: +*`auditd.log.agid`*:: + -- -type: date +type: alias -example: 2016-05-23T08:05:34.853Z +alias to: user.audit.group.id -required: True +-- -Date/time when the event originated. -For log events this is the date/time when the event was generated, and not when it was read. -Required field for all events. +*`auditd.log.auid`*:: ++ +-- +type: alias +alias to: user.audit.id -- -*`tags`*:: +*`auditd.log.fsgid`*:: + -- -type: keyword - -example: ["production", "env2"] - -List of keywords used to tag each event. +type: alias +alias to: user.filesystem.group.id -- -*`labels`*:: +*`auditd.log.fsuid`*:: + -- -type: object - -example: {'application': 'foo-bar', 'env': 'production'} - -Key/value pairs. -Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. -Example: `docker` and `k8s` labels. +type: alias +alias to: user.filesystem.id -- -*`message`*:: +*`auditd.log.egid`*:: + -- -type: text - -example: Hello World - -For log events the message field contains the log message. -In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message. +type: alias +alias to: user.effective.group.id -- -[float] -== agent fields - -The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. +*`auditd.log.euid`*:: ++ +-- +type: alias +alias to: user.effective.id +-- -*`agent.version`*:: +*`auditd.log.sgid`*:: + -- -type: keyword - -example: 6.0.0-rc2 - -Version of the agent. +type: alias +alias to: user.saved.group.id -- -*`agent.name`*:: +*`auditd.log.suid`*:: + -- -type: keyword - -example: foo - -Name of the agent. -This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. -If no name is given, the name is often left empty. +type: alias +alias to: user.saved.id -- -*`agent.type`*:: +*`auditd.log.ogid`*:: + -- -type: keyword - -example: filebeat - -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. +type: alias +alias to: user.owner.group.id -- -*`agent.id`*:: +*`auditd.log.ouid`*:: + -- -type: keyword - -example: 8a4f500d - -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. +type: alias +alias to: user.owner.id -- -*`agent.ephemeral_id`*:: +*`auditd.log.comm`*:: + -- -type: keyword - -example: 8a4f500f +type: alias -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. +alias to: process.name +-- +*`auditd.log.exe`*:: ++ -- +type: alias -[float] -== client fields +alias to: process.executable -A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. -Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. +-- + +*`auditd.log.terminal`*:: ++ +-- +type: alias +alias to: user.terminal +-- -*`client.address`*:: +*`auditd.log.tty`*:: + -- -type: keyword - -Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. -Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: alias +alias to: user.terminal -- -*`client.ip`*:: +*`auditd.log.msg`*:: + -- -type: ip - -IP address of the client. -Can be one or multiple IPv4 or IPv6 addresses. +type: alias +alias to: message -- -*`client.port`*:: +*`auditd.log.src`*:: + -- -type: long - -Port of the client. +type: alias +alias to: source.address -- -*`client.mac`*:: +*`auditd.log.addr`*:: + -- -type: keyword - -MAC address of the client. +type: alias +alias to: source.address -- -*`client.domain`*:: +*`auditd.log.rport`*:: + -- -type: keyword - -Client domain. +type: alias +alias to: source.port -- -*`client.bytes`*:: +*`auditd.log.dst`*:: + -- -type: long +type: alias -example: 184 +alias to: destination.address + +-- + +*`auditd.log.laddr`*:: ++ +-- +type: alias + +alias to: destination.address + +-- + +*`auditd.log.lport`*:: ++ +-- +type: alias + +alias to: destination.port + +-- + +[[exported-fields-beat]] +== Beat fields + +Contains common beat fields available in all event types. + + + +*`beat.timezone`*:: ++ +-- +type: alias + +alias to: event.timezone + +-- + +*`fields`*:: ++ +-- +type: object + +Contains user configurable fields. + + +-- + +[float] +== error fields + +Error fields containing additional info in case of errors. + + + +*`error.type`*:: ++ +-- +type: keyword + +Error type. + + +-- + +*`beat.name`*:: ++ +-- +type: alias + +alias to: host.name + +-- + +*`beat.hostname`*:: ++ +-- +type: alias + +alias to: agent.hostname + +-- + +[[exported-fields-cloud]] +== Cloud provider metadata fields + +Metadata from cloud providers added by the add_cloud_metadata processor. + + + +*`cloud.project.id`*:: ++ +-- +example: project-x + +Name of the project in Google Cloud. + + +-- + +*`meta.cloud.provider`*:: ++ +-- +type: alias + +alias to: cloud.provider + +-- + +*`meta.cloud.instance_id`*:: ++ +-- +type: alias + +alias to: cloud.instance.id + +-- + +*`meta.cloud.instance_name`*:: ++ +-- +type: alias + +alias to: cloud.instance.name + +-- + +*`meta.cloud.machine_type`*:: ++ +-- +type: alias + +alias to: cloud.machine.type + +-- + +*`meta.cloud.availability_zone`*:: ++ +-- +type: alias + +alias to: cloud.availability_zone + +-- + +*`meta.cloud.project_id`*:: ++ +-- +type: alias + +alias to: cloud.project.id + +-- + +*`meta.cloud.region`*:: ++ +-- +type: alias + +alias to: cloud.region + +-- + +[[exported-fields-docker-processor]] +== Docker fields + +Docker stats collected from Docker. + + + + +*`docker.container.id`*:: ++ +-- +type: alias + +alias to: container.id + +-- + +*`docker.container.image`*:: ++ +-- +type: alias + +alias to: container.image.name + +-- + +*`docker.container.name`*:: ++ +-- +type: alias + +alias to: container.name + +-- + +*`docker.container.labels`*:: ++ +-- +type: object + +Image labels. + + +-- + +[[exported-fields-ecs]] +== ECS fields + +ECS fields. + + + +*`@timestamp`*:: ++ +-- +type: date + +example: 2016-05-23T08:05:34.853Z + +required: True + +Date/time when the event originated. +For log events this is the date/time when the event was generated, and not when it was read. +Required field for all events. + + +-- + +*`tags`*:: ++ +-- +type: keyword + +example: ["production", "env2"] + +List of keywords used to tag each event. + + +-- + +*`labels`*:: ++ +-- +type: object + +example: {'application': 'foo-bar', 'env': 'production'} + +Key/value pairs. +Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. +Example: `docker` and `k8s` labels. + + +-- + +*`message`*:: ++ +-- +type: text + +example: Hello World + +For log events the message field contains the log message. +In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message. + + +-- + +[float] +== agent fields + +The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. + + + +*`agent.version`*:: ++ +-- +type: keyword + +example: 6.0.0-rc2 + +Version of the agent. + + +-- + +*`agent.name`*:: ++ +-- +type: keyword + +example: foo + +Name of the agent. +This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. +If no name is given, the name is often left empty. + + +-- + +*`agent.type`*:: ++ +-- +type: keyword + +example: filebeat + +Type of the agent. +The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + + +-- + +*`agent.id`*:: ++ +-- +type: keyword + +example: 8a4f500d + +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + + +-- + +*`agent.ephemeral_id`*:: ++ +-- +type: keyword + +example: 8a4f500f + +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + + +-- + +[float] +== client fields + +A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. +Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately. + + + +*`client.address`*:: ++ +-- +type: keyword + +Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. +Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. + + +-- + +*`client.ip`*:: ++ +-- +type: ip + +IP address of the client. +Can be one or multiple IPv4 or IPv6 addresses. + + +-- + +*`client.port`*:: ++ +-- +type: long + +Port of the client. + + +-- + +*`client.mac`*:: ++ +-- +type: keyword + +MAC address of the client. + + +-- + +*`client.domain`*:: ++ +-- +type: keyword + +Client domain. + + +-- + +*`client.bytes`*:: ++ +-- +type: long + +example: 184 format: bytes @@ -9954,326 +10344,82 @@ alias to: user_agent.original -- type: alias -alias to: source.geo.continent_name - --- - -*`nginx.access.geoip.country_iso_code`*:: -+ --- -type: alias - -alias to: source.geo.country_iso_code - --- - -*`nginx.access.geoip.location`*:: -+ --- -type: alias - -alias to: source.geo.location - --- - -*`nginx.access.geoip.region_name`*:: -+ --- -type: alias - -alias to: source.geo.region_name - --- - -*`nginx.access.geoip.city_name`*:: -+ --- -type: alias - -alias to: source.geo.city_name - --- - -*`nginx.access.geoip.region_iso_code`*:: -+ --- -type: alias - -alias to: source.geo.region_iso_code - --- - -[float] -== error fields - -Contains fields for the Nginx error logs. - - - -*`nginx.error.connection_id`*:: -+ --- -type: long - -Connection identifier. - - --- - -*`nginx.error.level`*:: -+ --- -type: alias - -alias to: log.level - --- - -*`nginx.error.pid`*:: -+ --- -type: alias - -alias to: process.pid - --- - -*`nginx.error.tid`*:: -+ --- -type: alias - -alias to: process.thread.id - --- - -*`nginx.error.message`*:: -+ --- -type: alias - -alias to: message - --- - -[[exported-fields-osquery]] -== Osquery fields - -Fields exported by the `osquery` module - - - -[float] -== osquery fields - - - - -[float] -== result fields - -Common fields exported by the result metricset. - - - -*`osquery.result.name`*:: -+ --- -type: keyword - -The name of the query that generated this event. - - --- - -*`osquery.result.action`*:: -+ --- -type: keyword - -For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". - - --- - -*`osquery.result.host_identifier`*:: -+ --- -type: keyword - -The identifier for the host on which the osquery agent is running. Normally the hostname. - - --- - -*`osquery.result.unix_time`*:: -+ --- -type: long - -Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. - - --- - -*`osquery.result.calendar_time`*:: -+ --- -String representation of the collection time, as formatted by osquery. - - --- - -[[exported-fields-postgresql]] -== PostgreSQL fields - -Module for parsing the PostgreSQL log files. - - - -[float] -== postgresql fields - -Fields from PostgreSQL logs. - - - -[float] -== log fields - -Fields from the PostgreSQL log files. - - - -*`postgresql.log.timestamp`*:: -+ --- -The timestamp from the log line. - - --- - -*`postgresql.log.core_id`*:: -+ --- -type: long - -Core id - - --- - -*`postgresql.log.database`*:: -+ --- -example: mydb - -Name of database - --- - -*`postgresql.log.query`*:: -+ --- -example: SELECT * FROM users; - -Query statement. - --- - -*`postgresql.log.timezone`*:: -+ --- -type: alias - -alias to: event.timezone +alias to: source.geo.continent_name -- -*`postgresql.log.thread_id`*:: +*`nginx.access.geoip.country_iso_code`*:: + -- type: alias -alias to: process.pid +alias to: source.geo.country_iso_code -- -*`postgresql.log.user`*:: +*`nginx.access.geoip.location`*:: + -- type: alias -alias to: user.name +alias to: source.geo.location -- -*`postgresql.log.level`*:: +*`nginx.access.geoip.region_name`*:: + -- type: alias -alias to: log.level +alias to: source.geo.region_name -- -*`postgresql.log.message`*:: +*`nginx.access.geoip.city_name`*:: + -- type: alias -alias to: message +alias to: source.geo.city_name -- -[[exported-fields-process]] -== Process fields - -Process metadata fields - - - - -*`process.exe`*:: +*`nginx.access.geoip.region_iso_code`*:: + -- type: alias -alias to: process.executable +alias to: source.geo.region_iso_code -- -[[exported-fields-redis]] -== Redis fields - -Redis Module - - - [float] -== redis fields +== error fields +Contains fields for the Nginx error logs. -[float] -== log fields +*`nginx.error.connection_id`*:: ++ +-- +type: long -Redis log files +Connection identifier. +-- -*`redis.log.role`*:: +*`nginx.error.level`*:: + -- -type: keyword - -The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. +type: alias +alias to: log.level -- -*`redis.log.pid`*:: +*`nginx.error.pid`*:: + -- type: alias @@ -10282,16 +10428,16 @@ alias to: process.pid -- -*`redis.log.level`*:: +*`nginx.error.tid`*:: + -- type: alias -alias to: log.level +alias to: process.thread.id -- -*`redis.log.message`*:: +*`nginx.error.message`*:: + -- type: alias @@ -10300,772 +10446,737 @@ alias to: message -- -[float] -== slowlog fields +[[exported-fields-osquery]] +== Osquery fields -Slow logs are retrieved from Redis via a network connection. +Fields exported by the `osquery` module -*`redis.slowlog.cmd`*:: -+ --- -type: keyword +[float] +== osquery fields -The command executed. --- -*`redis.slowlog.duration.us`*:: -+ --- -type: long +[float] +== result fields -How long it took to execute the command in microseconds. +Common fields exported by the result metricset. --- -*`redis.slowlog.id`*:: +*`osquery.result.name`*:: + -- -type: long +type: keyword -The ID of the query. +The name of the query that generated this event. -- -*`redis.slowlog.key`*:: +*`osquery.result.action`*:: + -- type: keyword -The key on which the command was executed. +For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". -- -*`redis.slowlog.args`*:: +*`osquery.result.host_identifier`*:: + -- type: keyword -The arguments with which the command was called. +The identifier for the host on which the osquery agent is running. Normally the hostname. -- -[[exported-fields-santa]] -== Google Santa fields - -Santa Module - - - -[float] -== santa fields - - - - -*`santa.action`*:: +*`osquery.result.unix_time`*:: + -- -type: keyword +type: long -example: EXEC +Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. -Action -- -*`santa.decision`*:: +*`osquery.result.calendar_time`*:: + -- -type: keyword - -example: ALLOW +String representation of the collection time, as formatted by osquery. -Decision that santad took. -- -*`santa.reason`*:: -+ --- -type: keyword +[[exported-fields-postgresql]] +== PostgreSQL fields -example: CERT +Module for parsing the PostgreSQL log files. -Reason for the decsision. --- -*`santa.mode`*:: -+ --- -type: keyword +[float] +== postgresql fields -example: M +Fields from PostgreSQL logs. -Operating mode of Santa. --- [float] -== disk fields +== log fields -Fields for DISKAPPEAR actions. +Fields from the PostgreSQL log files. -*`santa.disk.volume`*:: + +*`postgresql.log.timestamp`*:: + -- -The volume name. +The timestamp from the log line. + -- -*`santa.disk.bus`*:: +*`postgresql.log.core_id`*:: + -- -The disk bus protocol. +type: long --- +Core id -*`santa.disk.serial`*:: -+ --- -The disk serial number. -- -*`santa.disk.bsdname`*:: +*`postgresql.log.database`*:: + -- -example: disk1s3 +example: mydb -The disk BSD name. +Name of database -- -*`santa.disk.model`*:: +*`postgresql.log.query`*:: + -- -example: APPLE SSD SM0512L +example: SELECT * FROM users; -The disk model. +Query statement. -- -*`santa.disk.fs`*:: +*`postgresql.log.timezone`*:: + -- -example: apfs +type: alias -The disk volume kind (filesystem type). +alias to: event.timezone -- -*`santa.disk.mount`*:: +*`postgresql.log.thread_id`*:: + -- -The disk volume path. +type: alias + +alias to: process.pid -- -*`certificate.common_name`*:: +*`postgresql.log.user`*:: + -- -type: keyword +type: alias -Common name from code signing certificate. +alias to: user.name -- -*`certificate.sha256`*:: +*`postgresql.log.level`*:: + -- -type: keyword +type: alias -SHA256 hash of code signing certificate. +alias to: log.level -- -*`hash.sha256`*:: +*`postgresql.log.message`*:: + -- -type: keyword +type: alias -Hash of process executable. +alias to: message -- -[[exported-fields-suricata]] -== Suricata fields - -Module for handling the EVE JSON logs produced by Suricata. - +[[exported-fields-process]] +== Process fields +Process metadata fields -[float] -== suricata fields -Fields from the Suricata EVE log file. +*`process.exe`*:: ++ +-- +type: alias -[float] -== eve fields +alias to: process.executable -Fields exported by the EVE JSON logs +-- +[[exported-fields-redis]] +== Redis fields +Redis Module -*`suricata.eve.event_type`*:: -+ --- -type: keyword --- -*`suricata.eve.app_proto_orig`*:: -+ --- -type: keyword +[float] +== redis fields --- -*`suricata.eve.tcp.tcp_flags`*:: -+ --- -type: keyword --- +[float] +== log fields -*`suricata.eve.tcp.psh`*:: -+ --- -type: boolean +Redis log files --- -*`suricata.eve.tcp.tcp_flags_tc`*:: + +*`redis.log.role`*:: + -- type: keyword --- +The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. -*`suricata.eve.tcp.ack`*:: -+ --- -type: boolean -- -*`suricata.eve.tcp.syn`*:: +*`redis.log.pid`*:: + -- -type: boolean +type: alias + +alias to: process.pid -- -*`suricata.eve.tcp.state`*:: +*`redis.log.level`*:: + -- -type: keyword +type: alias + +alias to: log.level -- -*`suricata.eve.tcp.tcp_flags_ts`*:: +*`redis.log.message`*:: + -- -type: keyword +type: alias --- +alias to: message -*`suricata.eve.tcp.rst`*:: -+ -- -type: boolean --- +[float] +== slowlog fields -*`suricata.eve.tcp.fin`*:: -+ --- -type: boolean +Slow logs are retrieved from Redis via a network connection. --- -*`suricata.eve.fileinfo.sha1`*:: +*`redis.slowlog.cmd`*:: + -- type: keyword --- +The command executed. -*`suricata.eve.fileinfo.filename`*:: -+ --- -type: keyword -- -*`suricata.eve.fileinfo.tx_id`*:: +*`redis.slowlog.duration.us`*:: + -- type: long --- +How long it took to execute the command in microseconds. -*`suricata.eve.fileinfo.state`*:: -+ --- -type: keyword -- -*`suricata.eve.fileinfo.stored`*:: +*`redis.slowlog.id`*:: + -- -type: boolean +type: long --- +The ID of the query. -*`suricata.eve.fileinfo.gaps`*:: -+ --- -type: boolean -- -*`suricata.eve.fileinfo.sha256`*:: +*`redis.slowlog.key`*:: + -- type: keyword +The key on which the command was executed. + + -- -*`suricata.eve.fileinfo.md5`*:: +*`redis.slowlog.args`*:: + -- type: keyword --- +The arguments with which the command was called. -*`suricata.eve.fileinfo.size`*:: -+ --- -type: long -- -*`suricata.eve.icmp_type`*:: -+ --- -type: long +[[exported-fields-santa]] +== Google Santa fields --- +Santa Module -*`suricata.eve.dest_port`*:: -+ --- -type: long --- -*`suricata.eve.src_port`*:: -+ --- -type: long +[float] +== santa fields --- -*`suricata.eve.proto`*:: + + +*`santa.action`*:: + -- type: keyword --- +example: EXEC -*`suricata.eve.pcap_cnt`*:: -+ --- -type: long +Action -- -*`suricata.eve.src_ip`*:: +*`santa.decision`*:: + -- -type: ip +type: keyword --- +example: ALLOW +Decision that santad took. -*`suricata.eve.dns.type`*:: +-- + +*`santa.reason`*:: + -- type: keyword +example: CERT + +Reason for the decsision. + -- -*`suricata.eve.dns.rrtype`*:: +*`santa.mode`*:: + -- type: keyword +example: M + +Operating mode of Santa. + -- -*`suricata.eve.dns.rrname`*:: +[float] +== disk fields + +Fields for DISKAPPEAR actions. + + +*`santa.disk.volume`*:: + -- -type: keyword +The volume name. -- -*`suricata.eve.dns.rdata`*:: +*`santa.disk.bus`*:: + -- -type: keyword +The disk bus protocol. -- -*`suricata.eve.dns.tx_id`*:: +*`santa.disk.serial`*:: + -- -type: long +The disk serial number. -- -*`suricata.eve.dns.ttl`*:: +*`santa.disk.bsdname`*:: + -- -type: long +example: disk1s3 + +The disk BSD name. -- -*`suricata.eve.dns.rcode`*:: +*`santa.disk.model`*:: + -- -type: keyword +example: APPLE SSD SM0512L + +The disk model. -- -*`suricata.eve.dns.id`*:: +*`santa.disk.fs`*:: + -- -type: long +example: apfs + +The disk volume kind (filesystem type). -- -*`suricata.eve.flow_id`*:: +*`santa.disk.mount`*:: + -- -type: keyword +The disk volume path. -- - -*`suricata.eve.email.status`*:: +*`certificate.common_name`*:: + -- type: keyword +Common name from code signing certificate. + -- -*`suricata.eve.dest_ip`*:: +*`certificate.sha256`*:: + -- -type: ip +type: keyword + +SHA256 hash of code signing certificate. -- -*`suricata.eve.icmp_code`*:: +*`hash.sha256`*:: + -- -type: long +type: keyword + +Hash of process executable. -- +[[exported-fields-suricata]] +== Suricata fields -*`suricata.eve.http.status`*:: -+ --- -type: long +Module for handling the EVE JSON logs produced by Suricata. --- -*`suricata.eve.http.redirect`*:: + +[float] +== suricata fields + +Fields from the Suricata EVE log file. + + + +[float] +== eve fields + +Fields exported by the EVE JSON logs + + + +*`suricata.eve.event_type`*:: + -- type: keyword -- -*`suricata.eve.http.http_user_agent`*:: +*`suricata.eve.app_proto_orig`*:: + -- type: keyword -- -*`suricata.eve.http.protocol`*:: + +*`suricata.eve.tcp.tcp_flags`*:: + -- type: keyword -- -*`suricata.eve.http.http_refer`*:: +*`suricata.eve.tcp.psh`*:: + -- -type: keyword +type: boolean -- -*`suricata.eve.http.url`*:: +*`suricata.eve.tcp.tcp_flags_tc`*:: + -- type: keyword -- -*`suricata.eve.http.hostname`*:: +*`suricata.eve.tcp.ack`*:: + -- -type: keyword +type: boolean -- -*`suricata.eve.http.length`*:: +*`suricata.eve.tcp.syn`*:: + -- -type: long +type: boolean -- -*`suricata.eve.http.http_method`*:: +*`suricata.eve.tcp.state`*:: + -- type: keyword -- -*`suricata.eve.http.http_content_type`*:: +*`suricata.eve.tcp.tcp_flags_ts`*:: + -- type: keyword -- -*`suricata.eve.timestamp`*:: +*`suricata.eve.tcp.rst`*:: + -- -type: date +type: boolean -- -*`suricata.eve.in_iface`*:: +*`suricata.eve.tcp.fin`*:: + -- -type: keyword +type: boolean -- -*`suricata.eve.alert.category`*:: +*`suricata.eve.fileinfo.sha1`*:: + -- type: keyword -- -*`suricata.eve.alert.severity`*:: -+ --- -type: long - --- - -*`suricata.eve.alert.rev`*:: +*`suricata.eve.fileinfo.filename`*:: + -- -type: long +type: keyword -- -*`suricata.eve.alert.gid`*:: +*`suricata.eve.fileinfo.tx_id`*:: + -- type: long -- -*`suricata.eve.alert.signature`*:: +*`suricata.eve.fileinfo.state`*:: + -- type: keyword -- -*`suricata.eve.alert.action`*:: +*`suricata.eve.fileinfo.stored`*:: + -- -type: keyword +type: boolean -- -*`suricata.eve.alert.signature_id`*:: +*`suricata.eve.fileinfo.gaps`*:: + -- -type: long +type: boolean -- - - -*`suricata.eve.ssh.client.proto_version`*:: +*`suricata.eve.fileinfo.sha256`*:: + -- type: keyword -- -*`suricata.eve.ssh.client.software_version`*:: +*`suricata.eve.fileinfo.md5`*:: + -- type: keyword -- - -*`suricata.eve.ssh.server.proto_version`*:: +*`suricata.eve.fileinfo.size`*:: + -- -type: keyword +type: long -- -*`suricata.eve.ssh.server.software_version`*:: +*`suricata.eve.icmp_type`*:: + -- -type: keyword +type: long -- +*`suricata.eve.dest_port`*:: ++ +-- +type: long +-- -*`suricata.eve.stats.capture.kernel_packets`*:: +*`suricata.eve.src_port`*:: + -- type: long -- -*`suricata.eve.stats.capture.kernel_drops`*:: +*`suricata.eve.proto`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.capture.kernel_ifdrops`*:: +*`suricata.eve.pcap_cnt`*:: + -- type: long -- -*`suricata.eve.stats.uptime`*:: +*`suricata.eve.src_ip`*:: + -- -type: long +type: ip -- -*`suricata.eve.stats.detect.alert`*:: +*`suricata.eve.dns.type`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.http.memcap`*:: +*`suricata.eve.dns.rrtype`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.http.memuse`*:: +*`suricata.eve.dns.rrname`*:: + -- -type: long +type: keyword -- +*`suricata.eve.dns.rdata`*:: ++ +-- +type: keyword -*`suricata.eve.stats.file_store.open_files`*:: +-- + +*`suricata.eve.dns.tx_id`*:: + -- type: long -- - -*`suricata.eve.stats.defrag.max_frag_hits`*:: +*`suricata.eve.dns.ttl`*:: + -- type: long -- - -*`suricata.eve.stats.defrag.ipv4.timeouts`*:: +*`suricata.eve.dns.rcode`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.defrag.ipv4.fragments`*:: +*`suricata.eve.dns.id`*:: + -- type: long -- -*`suricata.eve.stats.defrag.ipv4.reassembled`*:: +*`suricata.eve.flow_id`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.defrag.ipv6.timeouts`*:: +*`suricata.eve.email.status`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.defrag.ipv6.fragments`*:: +*`suricata.eve.dest_ip`*:: + -- -type: long +type: ip -- -*`suricata.eve.stats.defrag.ipv6.reassembled`*:: +*`suricata.eve.icmp_code`*:: + -- type: long @@ -11073,717 +11184,726 @@ type: long -- -*`suricata.eve.stats.flow.tcp_reuse`*:: +*`suricata.eve.http.status`*:: + -- type: long -- -*`suricata.eve.stats.flow.udp`*:: +*`suricata.eve.http.redirect`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.flow.memcap`*:: +*`suricata.eve.http.http_user_agent`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.flow.emerg_mode_entered`*:: +*`suricata.eve.http.protocol`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.flow.emerg_mode_over`*:: +*`suricata.eve.http.http_refer`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.flow.tcp`*:: +*`suricata.eve.http.url`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.flow.icmpv6`*:: +*`suricata.eve.http.hostname`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.flow.icmpv4`*:: +*`suricata.eve.http.length`*:: + -- type: long -- -*`suricata.eve.stats.flow.spare`*:: +*`suricata.eve.http.http_method`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.flow.memuse`*:: +*`suricata.eve.http.http_content_type`*:: + -- -type: long +type: keyword -- - -*`suricata.eve.stats.tcp.pseudo_failed`*:: +*`suricata.eve.timestamp`*:: + -- -type: long +type: date -- -*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: +*`suricata.eve.in_iface`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: + +*`suricata.eve.alert.category`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.sessions`*:: +*`suricata.eve.alert.severity`*:: + -- type: long -- -*`suricata.eve.stats.tcp.pseudo`*:: +*`suricata.eve.alert.rev`*:: + -- type: long -- -*`suricata.eve.stats.tcp.synack`*:: +*`suricata.eve.alert.gid`*:: + -- type: long -- -*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: +*`suricata.eve.alert.signature`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.syn`*:: +*`suricata.eve.alert.action`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.memuse`*:: +*`suricata.eve.alert.signature_id`*:: + -- type: long -- -*`suricata.eve.stats.tcp.invalid_checksum`*:: + + +*`suricata.eve.ssh.client.proto_version`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.segment_memcap_drop`*:: +*`suricata.eve.ssh.client.software_version`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.overlap`*:: + +*`suricata.eve.ssh.server.proto_version`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.insert_list_fail`*:: +*`suricata.eve.ssh.server.software_version`*:: + -- -type: long +type: keyword -- -*`suricata.eve.stats.tcp.rst`*:: + + +*`suricata.eve.stats.capture.kernel_packets`*:: + -- type: long -- -*`suricata.eve.stats.tcp.stream_depth_reached`*:: +*`suricata.eve.stats.capture.kernel_drops`*:: + -- type: long -- -*`suricata.eve.stats.tcp.reassembly_memuse`*:: +*`suricata.eve.stats.capture.kernel_ifdrops`*:: + -- type: long -- -*`suricata.eve.stats.tcp.reassembly_gap`*:: +*`suricata.eve.stats.uptime`*:: + -- type: long -- -*`suricata.eve.stats.tcp.overlap_diff_data`*:: + +*`suricata.eve.stats.detect.alert`*:: + -- type: long -- -*`suricata.eve.stats.tcp.no_flow`*:: + +*`suricata.eve.stats.http.memcap`*:: + -- type: long -- - -*`suricata.eve.stats.decoder.avg_pkt_size`*:: +*`suricata.eve.stats.http.memuse`*:: + -- type: long -- -*`suricata.eve.stats.decoder.bytes`*:: + +*`suricata.eve.stats.file_store.open_files`*:: + -- type: long -- -*`suricata.eve.stats.decoder.tcp`*:: + +*`suricata.eve.stats.defrag.max_frag_hits`*:: + -- type: long -- -*`suricata.eve.stats.decoder.raw`*:: + +*`suricata.eve.stats.defrag.ipv4.timeouts`*:: + -- type: long -- -*`suricata.eve.stats.decoder.ppp`*:: +*`suricata.eve.stats.defrag.ipv4.fragments`*:: + -- type: long -- -*`suricata.eve.stats.decoder.vlan_qinq`*:: +*`suricata.eve.stats.defrag.ipv4.reassembled`*:: + -- type: long -- -*`suricata.eve.stats.decoder.null`*:: + +*`suricata.eve.stats.defrag.ipv6.timeouts`*:: + -- type: long -- - -*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: +*`suricata.eve.stats.defrag.ipv6.fragments`*:: + -- type: long -- -*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: +*`suricata.eve.stats.defrag.ipv6.reassembled`*:: + -- type: long -- -*`suricata.eve.stats.decoder.invalid`*:: + +*`suricata.eve.stats.flow.tcp_reuse`*:: + -- type: long -- -*`suricata.eve.stats.decoder.gre`*:: +*`suricata.eve.stats.flow.udp`*:: + -- type: long -- -*`suricata.eve.stats.decoder.ipv4`*:: +*`suricata.eve.stats.flow.memcap`*:: + -- type: long -- -*`suricata.eve.stats.decoder.ipv6`*:: +*`suricata.eve.stats.flow.emerg_mode_entered`*:: + -- type: long -- -*`suricata.eve.stats.decoder.pkts`*:: +*`suricata.eve.stats.flow.emerg_mode_over`*:: + -- type: long -- -*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: +*`suricata.eve.stats.flow.tcp`*:: + -- type: long -- - -*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: +*`suricata.eve.stats.flow.icmpv6`*:: + -- type: long -- -*`suricata.eve.stats.decoder.pppoe`*:: +*`suricata.eve.stats.flow.icmpv4`*:: + -- type: long -- -*`suricata.eve.stats.decoder.udp`*:: +*`suricata.eve.stats.flow.spare`*:: + -- type: long -- - -*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: +*`suricata.eve.stats.flow.memuse`*:: + -- type: long -- -*`suricata.eve.stats.decoder.vlan`*:: + +*`suricata.eve.stats.tcp.pseudo_failed`*:: + -- type: long -- -*`suricata.eve.stats.decoder.sctp`*:: +*`suricata.eve.stats.tcp.ssn_memcap_drop`*:: + -- type: long -- -*`suricata.eve.stats.decoder.max_pkt_size`*:: +*`suricata.eve.stats.tcp.insert_data_overlap_fail`*:: + -- type: long -- -*`suricata.eve.stats.decoder.teredo`*:: +*`suricata.eve.stats.tcp.sessions`*:: + -- type: long -- -*`suricata.eve.stats.decoder.mpls`*:: +*`suricata.eve.stats.tcp.pseudo`*:: + -- type: long -- -*`suricata.eve.stats.decoder.sll`*:: +*`suricata.eve.stats.tcp.synack`*:: + -- type: long -- -*`suricata.eve.stats.decoder.icmpv6`*:: +*`suricata.eve.stats.tcp.insert_data_normal_fail`*:: + -- type: long -- -*`suricata.eve.stats.decoder.icmpv4`*:: +*`suricata.eve.stats.tcp.syn`*:: + -- type: long -- -*`suricata.eve.stats.decoder.erspan`*:: +*`suricata.eve.stats.tcp.memuse`*:: + -- type: long -- -*`suricata.eve.stats.decoder.ethernet`*:: +*`suricata.eve.stats.tcp.invalid_checksum`*:: + -- type: long -- -*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: +*`suricata.eve.stats.tcp.segment_memcap_drop`*:: + -- type: long -- -*`suricata.eve.stats.decoder.ieee8021ah`*:: +*`suricata.eve.stats.tcp.overlap`*:: + -- type: long -- - -*`suricata.eve.stats.dns.memcap_global`*:: +*`suricata.eve.stats.tcp.insert_list_fail`*:: + -- type: long -- -*`suricata.eve.stats.dns.memcap_state`*:: +*`suricata.eve.stats.tcp.rst`*:: + -- type: long -- -*`suricata.eve.stats.dns.memuse`*:: +*`suricata.eve.stats.tcp.stream_depth_reached`*:: + -- type: long -- - -*`suricata.eve.stats.flow_mgr.rows_busy`*:: +*`suricata.eve.stats.tcp.reassembly_memuse`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.flows_timeout`*:: +*`suricata.eve.stats.tcp.reassembly_gap`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: +*`suricata.eve.stats.tcp.overlap_diff_data`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.rows_skipped`*:: +*`suricata.eve.stats.tcp.no_flow`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.closed_pruned`*:: + +*`suricata.eve.stats.decoder.avg_pkt_size`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.new_pruned`*:: +*`suricata.eve.stats.decoder.bytes`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.flows_removed`*:: +*`suricata.eve.stats.decoder.tcp`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: +*`suricata.eve.stats.decoder.raw`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.est_pruned`*:: +*`suricata.eve.stats.decoder.ppp`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: +*`suricata.eve.stats.decoder.vlan_qinq`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.flows_checked`*:: +*`suricata.eve.stats.decoder.null`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: + +*`suricata.eve.stats.decoder.ltnull.unsupported_type`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.rows_checked`*:: +*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*:: + -- type: long -- -*`suricata.eve.stats.flow_mgr.rows_empty`*:: +*`suricata.eve.stats.decoder.invalid`*:: + -- type: long -- - - -*`suricata.eve.stats.app_layer.flow.tls`*:: +*`suricata.eve.stats.decoder.gre`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.ftp`*:: +*`suricata.eve.stats.decoder.ipv4`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.http`*:: +*`suricata.eve.stats.decoder.ipv6`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.failed_udp`*:: +*`suricata.eve.stats.decoder.pkts`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.dns_udp`*:: +*`suricata.eve.stats.decoder.ipv6_in_ipv6`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: + +*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.smtp`*:: +*`suricata.eve.stats.decoder.pppoe`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: +*`suricata.eve.stats.decoder.udp`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.msn`*:: + +*`suricata.eve.stats.decoder.dce.pkt_too_small`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.ssh`*:: +*`suricata.eve.stats.decoder.vlan`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.imap`*:: +*`suricata.eve.stats.decoder.sctp`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: +*`suricata.eve.stats.decoder.max_pkt_size`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: +*`suricata.eve.stats.decoder.teredo`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.flow.smb`*:: +*`suricata.eve.stats.decoder.mpls`*:: + -- type: long -- - -*`suricata.eve.stats.app_layer.tx.tls`*:: +*`suricata.eve.stats.decoder.sll`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.tx.ftp`*:: +*`suricata.eve.stats.decoder.icmpv6`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.tx.http`*:: +*`suricata.eve.stats.decoder.icmpv4`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.tx.dns_udp`*:: +*`suricata.eve.stats.decoder.erspan`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: +*`suricata.eve.stats.decoder.ethernet`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.tx.smtp`*:: +*`suricata.eve.stats.decoder.ipv4_in_ipv6`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.tx.ssh`*:: +*`suricata.eve.stats.decoder.ieee8021ah`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: + +*`suricata.eve.stats.dns.memcap_global`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: +*`suricata.eve.stats.dns.memcap_state`*:: + -- type: long -- -*`suricata.eve.stats.app_layer.tx.smb`*:: +*`suricata.eve.stats.dns.memuse`*:: + -- type: long @@ -11791,636 +11911,534 @@ type: long -- -*`suricata.eve.tls.notbefore`*:: +*`suricata.eve.stats.flow_mgr.rows_busy`*:: + -- -type: date +type: long -- -*`suricata.eve.tls.issuerdn`*:: +*`suricata.eve.stats.flow_mgr.flows_timeout`*:: + -- -type: keyword +type: long -- -*`suricata.eve.tls.sni`*:: +*`suricata.eve.stats.flow_mgr.flows_notimeout`*:: + -- -type: keyword +type: long -- -*`suricata.eve.tls.version`*:: +*`suricata.eve.stats.flow_mgr.rows_skipped`*:: + -- -type: keyword +type: long -- -*`suricata.eve.tls.session_resumed`*:: +*`suricata.eve.stats.flow_mgr.closed_pruned`*:: + -- -type: boolean +type: long -- -*`suricata.eve.tls.fingerprint`*:: +*`suricata.eve.stats.flow_mgr.new_pruned`*:: + -- -type: keyword +type: long -- -*`suricata.eve.tls.serial`*:: +*`suricata.eve.stats.flow_mgr.flows_removed`*:: + -- -type: keyword +type: long -- -*`suricata.eve.tls.notafter`*:: +*`suricata.eve.stats.flow_mgr.bypassed_pruned`*:: + -- -type: date +type: long -- -*`suricata.eve.tls.subject`*:: +*`suricata.eve.stats.flow_mgr.est_pruned`*:: + -- -type: keyword +type: long -- -*`suricata.eve.app_proto_ts`*:: +*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*:: + -- -type: keyword +type: long -- - -*`suricata.eve.flow.bytes_toclient`*:: +*`suricata.eve.stats.flow_mgr.flows_checked`*:: + -- type: long -- -*`suricata.eve.flow.start`*:: +*`suricata.eve.stats.flow_mgr.rows_maxlen`*:: + -- -type: date +type: long -- -*`suricata.eve.flow.pkts_toclient`*:: +*`suricata.eve.stats.flow_mgr.rows_checked`*:: + -- type: long -- -*`suricata.eve.flow.age`*:: +*`suricata.eve.stats.flow_mgr.rows_empty`*:: + -- type: long -- -*`suricata.eve.flow.state`*:: + + +*`suricata.eve.stats.app_layer.flow.tls`*:: + -- -type: keyword +type: long -- -*`suricata.eve.flow.bytes_toserver`*:: +*`suricata.eve.stats.app_layer.flow.ftp`*:: + -- type: long -- -*`suricata.eve.flow.reason`*:: +*`suricata.eve.stats.app_layer.flow.http`*:: + -- -type: keyword +type: long -- -*`suricata.eve.flow.pkts_toserver`*:: +*`suricata.eve.stats.app_layer.flow.failed_udp`*:: + -- type: long -- -*`suricata.eve.flow.end`*:: +*`suricata.eve.stats.app_layer.flow.dns_udp`*:: + -- -type: date +type: long -- -*`suricata.eve.flow.alerted`*:: +*`suricata.eve.stats.app_layer.flow.dns_tcp`*:: + -- -type: boolean +type: long -- -*`suricata.eve.app_proto`*:: +*`suricata.eve.stats.app_layer.flow.smtp`*:: + -- -type: keyword +type: long -- -*`suricata.eve.tx_id`*:: +*`suricata.eve.stats.app_layer.flow.failed_tcp`*:: + -- type: long -- -*`suricata.eve.app_proto_tc`*:: +*`suricata.eve.stats.app_layer.flow.msn`*:: + -- -type: keyword +type: long -- - -*`suricata.eve.smtp.rcpt_to`*:: +*`suricata.eve.stats.app_layer.flow.ssh`*:: + -- -type: keyword +type: long -- -*`suricata.eve.smtp.mail_from`*:: +*`suricata.eve.stats.app_layer.flow.imap`*:: + -- -type: keyword +type: long -- -*`suricata.eve.smtp.helo`*:: +*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*:: + -- -type: keyword +type: long -- -*`suricata.eve.app_proto_expected`*:: +*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*:: + -- -type: keyword +type: long -- -[[exported-fields-system]] -== System fields - -Module for parsing system log files. - - - -[float] -== system fields - -Fields from the system log files. - - - -[float] -== auth fields - -Fields from the Linux authorization logs. +*`suricata.eve.stats.app_layer.flow.smb`*:: ++ +-- +type: long +-- -*`system.auth.timestamp`*:: +*`suricata.eve.stats.app_layer.tx.tls`*:: + -- -type: alias - -alias to: @timestamp +type: long -- -*`system.auth.hostname`*:: +*`suricata.eve.stats.app_layer.tx.ftp`*:: + -- -type: alias - -alias to: host.hostname +type: long -- -*`system.auth.program`*:: +*`suricata.eve.stats.app_layer.tx.http`*:: + -- -type: alias - -alias to: process.name +type: long -- -*`system.auth.pid`*:: +*`suricata.eve.stats.app_layer.tx.dns_udp`*:: + -- -type: alias - -alias to: process.pid +type: long -- -*`system.auth.message`*:: +*`suricata.eve.stats.app_layer.tx.dns_tcp`*:: + -- -type: alias +type: long -alias to: message +-- + +*`suricata.eve.stats.app_layer.tx.smtp`*:: ++ +-- +type: long -- -*`system.auth.user`*:: +*`suricata.eve.stats.app_layer.tx.ssh`*:: + -- -type: alias - -alias to: user.name +type: long -- - -*`system.auth.ssh.method`*:: +*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*:: + -- -The SSH authentication method. Can be one of "password" or "publickey". - +type: long -- -*`system.auth.ssh.signature`*:: +*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*:: + -- -The signature of the client public key. - +type: long -- -*`system.auth.ssh.dropped_ip`*:: +*`suricata.eve.stats.app_layer.tx.smb`*:: + -- -type: ip - -The client IP from SSH connections that are open and immediately dropped. - +type: long -- -*`system.auth.ssh.event`*:: + +*`suricata.eve.tls.notbefore`*:: + -- -type: alias - -alias to: event.action +type: date -- -*`system.auth.ssh.ip`*:: +*`suricata.eve.tls.issuerdn`*:: + -- -type: alias - -alias to: source.ip +type: keyword -- -*`system.auth.ssh.port`*:: +*`suricata.eve.tls.sni`*:: + -- -type: alias - -alias to: source.port +type: keyword -- - -*`system.auth.ssh.geoip.continent_name`*:: +*`suricata.eve.tls.version`*:: + -- -type: alias - -alias to: source.geo.continent_name +type: keyword -- -*`system.auth.ssh.geoip.country_iso_code`*:: +*`suricata.eve.tls.session_resumed`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +type: boolean -- -*`system.auth.ssh.geoip.location`*:: +*`suricata.eve.tls.fingerprint`*:: + -- -type: alias - -alias to: source.geo.location +type: keyword -- -*`system.auth.ssh.geoip.region_name`*:: +*`suricata.eve.tls.serial`*:: + -- -type: alias - -alias to: source.geo.region_name +type: keyword -- -*`system.auth.ssh.geoip.city_name`*:: +*`suricata.eve.tls.notafter`*:: + -- -type: alias - -alias to: source.geo.city_name +type: date -- -*`system.auth.ssh.geoip.region_iso_code`*:: +*`suricata.eve.tls.subject`*:: + -- -type: alias - -alias to: source.geo.region_iso_code +type: keyword -- -[float] -== sudo fields - -Fields specific to events created by the `sudo` command. +*`suricata.eve.app_proto_ts`*:: ++ +-- +type: keyword +-- -*`system.auth.sudo.error`*:: +*`suricata.eve.flow.bytes_toclient`*:: + -- -example: user NOT in sudoers - -The error message in case the sudo command failed. - +type: long -- -*`system.auth.sudo.tty`*:: +*`suricata.eve.flow.start`*:: + -- -The TTY where the sudo command is executed. - +type: date -- -*`system.auth.sudo.pwd`*:: +*`suricata.eve.flow.pkts_toclient`*:: + -- -The current directory where the sudo command is executed. - +type: long -- -*`system.auth.sudo.user`*:: +*`suricata.eve.flow.age`*:: + -- -example: root - -The target user to which the sudo command is switching. - +type: long -- -*`system.auth.sudo.command`*:: +*`suricata.eve.flow.state`*:: + -- -The command executed via sudo. - +type: keyword -- -[float] -== useradd fields - -Fields specific to events created by the `useradd` command. - - - -*`system.auth.useradd.home`*:: +*`suricata.eve.flow.bytes_toserver`*:: + -- -The home folder for the new user. +type: long -- -*`system.auth.useradd.shell`*:: +*`suricata.eve.flow.reason`*:: + -- -The default shell for the new user. +type: keyword -- -*`system.auth.useradd.name`*:: +*`suricata.eve.flow.pkts_toserver`*:: + -- -type: alias - -alias to: user.name +type: long -- -*`system.auth.useradd.uid`*:: +*`suricata.eve.flow.end`*:: + -- -type: alias - -alias to: user.id +type: date -- -*`system.auth.useradd.gid`*:: +*`suricata.eve.flow.alerted`*:: + -- -type: alias - -alias to: group.id +type: boolean -- -[float] -== groupadd fields - -Fields specific to events created by the `groupadd` command. - - - -*`system.auth.groupadd.name`*:: +*`suricata.eve.app_proto`*:: + -- -type: alias - -alias to: group.name +type: keyword -- -*`system.auth.groupadd.gid`*:: +*`suricata.eve.tx_id`*:: + -- -type: alias - -alias to: group.id +type: long -- -[float] -== syslog fields - -Contains fields from the syslog system logs. - - - -*`system.syslog.timestamp`*:: +*`suricata.eve.app_proto_tc`*:: + -- -type: alias - -alias to: @timestamp +type: keyword -- -*`system.syslog.hostname`*:: + +*`suricata.eve.smtp.rcpt_to`*:: + -- -type: alias - -alias to: host.hostname +type: keyword -- -*`system.syslog.program`*:: +*`suricata.eve.smtp.mail_from`*:: + -- -type: alias - -alias to: process.name +type: keyword -- -*`system.syslog.pid`*:: +*`suricata.eve.smtp.helo`*:: + -- -type: alias - -alias to: process.pid +type: keyword -- -*`system.syslog.message`*:: +*`suricata.eve.app_proto_expected`*:: + -- -type: alias - -alias to: message +type: keyword -- -[[exported-fields-traefik]] -== Traefik fields +[[exported-fields-system]] +== System fields -Module for parsing the Traefik log files. +Module for parsing system log files. [float] -== traefik fields +== system fields -Fields from the Traefik log files. +Fields from the system log files. [float] -== access fields - -Contains fields for the Traefik access logs. - - - -*`traefik.access.user_identifier`*:: -+ --- -type: keyword +== auth fields -Is the RFC 1413 identity of the client +Fields from the Linux authorization logs. --- -*`traefik.access.request_count`*:: +*`system.auth.timestamp`*:: + -- -type: long - -The number of requests +type: alias +alias to: @timestamp -- -*`traefik.access.frontend_name`*:: +*`system.auth.hostname`*:: + -- -type: text - -The name of the frontend used +type: alias +alias to: host.hostname -- -*`traefik.access.backend_url`*:: +*`system.auth.program`*:: + -- -type: text +type: alias -The url of the backend where request is forwarded +alias to: process.name -- -*`traefik.access.body_sent.bytes`*:: +*`system.auth.pid`*:: + -- type: alias -alias to: http.response.body.bytes +alias to: process.pid -- -*`traefik.access.remote_ip`*:: +*`system.auth.message`*:: + -- type: alias -alias to: source.address +alias to: message -- -*`traefik.access.user_name`*:: +*`system.auth.user`*:: + -- type: alias @@ -12429,558 +12447,525 @@ alias to: user.name -- -*`traefik.access.method`*:: + +*`system.auth.ssh.method`*:: + -- -type: alias +The SSH authentication method. Can be one of "password" or "publickey". -alias to: http.request.method -- -*`traefik.access.url`*:: +*`system.auth.ssh.signature`*:: + -- -type: alias +The signature of the client public key. -alias to: url.original -- -*`traefik.access.http_version`*:: +*`system.auth.ssh.dropped_ip`*:: + -- -type: alias +type: ip + +The client IP from SSH connections that are open and immediately dropped. -alias to: http.version -- -*`traefik.access.response_code`*:: +*`system.auth.ssh.event`*:: + -- type: alias -alias to: http.response.status_code +alias to: event.action -- -*`traefik.access.referrer`*:: +*`system.auth.ssh.ip`*:: + -- type: alias -alias to: http.request.referrer +alias to: source.ip -- -*`traefik.access.agent`*:: +*`system.auth.ssh.port`*:: + -- type: alias -alias to: user_agent.original +alias to: source.port -- -*`traefik.access.user_agent.device`*:: +*`system.auth.ssh.geoip.continent_name`*:: + -- type: alias -alias to: user_agent.device +alias to: source.geo.continent_name -- -*`traefik.access.user_agent.major`*:: +*`system.auth.ssh.geoip.country_iso_code`*:: + -- type: alias -alias to: user_agent.major +alias to: source.geo.country_iso_code -- -*`traefik.access.user_agent.minor`*:: +*`system.auth.ssh.geoip.location`*:: + -- type: alias -alias to: user_agent.minor +alias to: source.geo.location -- -*`traefik.access.user_agent.patch`*:: +*`system.auth.ssh.geoip.region_name`*:: + -- type: alias -alias to: user_agent.patch +alias to: source.geo.region_name -- -*`traefik.access.user_agent.name`*:: +*`system.auth.ssh.geoip.city_name`*:: + -- type: alias -alias to: user_agent.name +alias to: source.geo.city_name -- -*`traefik.access.user_agent.os`*:: +*`system.auth.ssh.geoip.region_iso_code`*:: + -- type: alias -alias to: user_agent.os.full_name +alias to: source.geo.region_iso_code -- -*`traefik.access.user_agent.os_major`*:: +[float] +== sudo fields + +Fields specific to events created by the `sudo` command. + + + +*`system.auth.sudo.error`*:: + -- -type: alias +example: user NOT in sudoers + +The error message in case the sudo command failed. -alias to: user_agent.os.major -- -*`traefik.access.user_agent.os_minor`*:: +*`system.auth.sudo.tty`*:: + -- -type: alias +The TTY where the sudo command is executed. -alias to: user_agent.os.minor -- -*`traefik.access.user_agent.os_name`*:: +*`system.auth.sudo.pwd`*:: + -- -type: alias +The current directory where the sudo command is executed. -alias to: user_agent.os.name -- -*`traefik.access.user_agent.original`*:: +*`system.auth.sudo.user`*:: + -- -type: alias +example: root -alias to: user_agent.original +The target user to which the sudo command is switching. --- +-- -*`traefik.access.geoip.continent_name`*:: +*`system.auth.sudo.command`*:: + -- -type: alias +The command executed via sudo. -alias to: source.geo.continent_name -- -*`traefik.access.geoip.country_iso_code`*:: +[float] +== useradd fields + +Fields specific to events created by the `useradd` command. + + + +*`system.auth.useradd.home`*:: + -- -type: alias - -alias to: source.geo.country_iso_code +The home folder for the new user. -- -*`traefik.access.geoip.location`*:: +*`system.auth.useradd.shell`*:: + -- -type: alias - -alias to: source.geo.location +The default shell for the new user. -- -*`traefik.access.geoip.region_name`*:: +*`system.auth.useradd.name`*:: + -- type: alias -alias to: source.geo.region_name +alias to: user.name -- -*`traefik.access.geoip.city_name`*:: +*`system.auth.useradd.uid`*:: + -- type: alias -alias to: source.geo.city_name +alias to: user.id -- -*`traefik.access.geoip.region_iso_code`*:: +*`system.auth.useradd.gid`*:: + -- type: alias -alias to: source.geo.region_iso_code +alias to: group.id -- -[[exported-fields-user]] -== User fields +[float] +== groupadd fields -Section about user details. +Fields specific to events created by the `groupadd` command. -*`terminal`*:: +*`system.auth.groupadd.name`*:: + -- -type: keyword - -Terminal or tty device on which the user is performing the observed activity. +type: alias +alias to: group.name -- - -*`audit.id`*:: +*`system.auth.groupadd.gid`*:: + -- -type: keyword - -One or multiple unique identifiers of the user. - +type: alias --- +alias to: group.id -*`audit.name`*:: -+ -- -type: keyword -example: albert +[float] +== syslog fields -Short name or login of the user. +Contains fields from the syslog system logs. --- -*`audit.group.id`*:: +*`system.syslog.timestamp`*:: + -- -type: keyword - -Unique identifier for the group on the system/platform. +type: alias +alias to: @timestamp -- -*`audit.group.name`*:: +*`system.syslog.hostname`*:: + -- -type: keyword - -Name of the group. +type: alias +alias to: host.hostname -- - -*`effective.id`*:: +*`system.syslog.program`*:: + -- -type: keyword - -One or multiple unique identifiers of the user. +type: alias +alias to: process.name -- -*`effective.name`*:: +*`system.syslog.pid`*:: + -- -type: keyword - -example: albert - -Short name or login of the user. +type: alias +alias to: process.pid -- -*`effective.group.id`*:: +*`system.syslog.message`*:: + -- -type: keyword - -Unique identifier for the group on the system/platform. - +type: alias --- +alias to: message -*`effective.group.name`*:: -+ -- -type: keyword - -Name of the group. +[[exported-fields-traefik]] +== Traefik fields --- +Module for parsing the Traefik log files. -*`filesystem.id`*:: -+ --- -type: keyword -One or multiple unique identifiers of the user. +[float] +== traefik fields +Fields from the Traefik log files. --- -*`filesystem.name`*:: -+ --- -type: keyword -example: albert +[float] +== access fields -Short name or login of the user. +Contains fields for the Traefik access logs. --- -*`filesystem.group.id`*:: +*`traefik.access.user_identifier`*:: + -- type: keyword -Unique identifier for the group on the system/platform. +Is the RFC 1413 identity of the client -- -*`filesystem.group.name`*:: +*`traefik.access.request_count`*:: + -- -type: keyword +type: long -Name of the group. +The number of requests -- - -*`owner.id`*:: +*`traefik.access.frontend_name`*:: + -- -type: keyword +type: text -One or multiple unique identifiers of the user. +The name of the frontend used -- -*`owner.name`*:: +*`traefik.access.backend_url`*:: + -- -type: keyword - -example: albert - -Short name or login of the user. +type: text +The url of the backend where request is forwarded -- -*`owner.group.id`*:: +*`traefik.access.body_sent.bytes`*:: + -- -type: keyword - -Unique identifier for the group on the system/platform. +type: alias +alias to: http.response.body.bytes -- -*`owner.group.name`*:: +*`traefik.access.remote_ip`*:: + -- -type: keyword - -Name of the group. +type: alias +alias to: source.address -- - -*`saved.id`*:: +*`traefik.access.user_name`*:: + -- -type: keyword - -One or multiple unique identifiers of the user. +type: alias +alias to: user.name -- -*`saved.name`*:: +*`traefik.access.method`*:: + -- -type: keyword - -example: albert - -Short name or login of the user. +type: alias +alias to: http.request.method -- -*`saved.group.id`*:: +*`traefik.access.url`*:: + -- -type: keyword - -Unique identifier for the group on the system/platform. +type: alias +alias to: url.original -- -*`saved.group.name`*:: +*`traefik.access.http_version`*:: + -- -type: keyword - -Name of the group. +type: alias +alias to: http.version -- -[float] -== log fields - -Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type. - - - -*`saved.log.old_auid`*:: +*`traefik.access.response_code`*:: + -- -For login events this is the old audit ID used for the user prior to this login. +type: alias +alias to: http.response.status_code -- -*`saved.log.new_auid`*:: +*`traefik.access.referrer`*:: + -- -For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root). +type: alias +alias to: http.request.referrer -- -*`saved.log.old_ses`*:: +*`traefik.access.agent`*:: + -- -For login events this is the old session ID used for the user prior to this login. +type: alias +alias to: user_agent.original -- -*`saved.log.new_ses`*:: + +*`traefik.access.user_agent.device`*:: + -- -For login events this is the new session ID. It can be used to tie a user to future events by session ID. +type: alias +alias to: user_agent.device -- -*`saved.log.sequence`*:: +*`traefik.access.user_agent.major`*:: + -- -type: long - -The audit event sequence number. +type: alias +alias to: user_agent.major -- -*`saved.log.items`*:: +*`traefik.access.user_agent.minor`*:: + -- -The number of items in an event. +type: alias +alias to: user_agent.minor -- -*`saved.log.item`*:: +*`traefik.access.user_agent.patch`*:: + -- -The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item. +type: alias +alias to: user_agent.patch -- -*`saved.log.a0`*:: +*`traefik.access.user_agent.name`*:: + -- -The first argument to the system call. +type: alias +alias to: user_agent.name -- -*`saved.log.acct`*:: +*`traefik.access.user_agent.os`*:: + -- type: alias -alias to: user.name +alias to: user_agent.os.full_name -- -*`saved.log.pid`*:: +*`traefik.access.user_agent.os_major`*:: + -- type: alias -alias to: process.pid +alias to: user_agent.os.major -- -*`saved.log.ppid`*:: +*`traefik.access.user_agent.os_minor`*:: + -- type: alias -alias to: process.ppid +alias to: user_agent.os.minor -- -*`saved.log.res`*:: +*`traefik.access.user_agent.os_name`*:: + -- type: alias -alias to: event.outcome +alias to: user_agent.os.name -- -*`saved.log.record_type`*:: +*`traefik.access.user_agent.original`*:: + -- type: alias -alias to: event.action +alias to: user_agent.original -- -*`saved.log.geoip.continent_name`*:: +*`traefik.access.geoip.continent_name`*:: + -- type: alias @@ -12989,7 +12974,7 @@ alias to: source.geo.continent_name -- -*`saved.log.geoip.country_iso_code`*:: +*`traefik.access.geoip.country_iso_code`*:: + -- type: alias @@ -12998,7 +12983,7 @@ alias to: source.geo.country_iso_code -- -*`saved.log.geoip.location`*:: +*`traefik.access.geoip.location`*:: + -- type: alias @@ -13007,7 +12992,7 @@ alias to: source.geo.location -- -*`saved.log.geoip.region_name`*:: +*`traefik.access.geoip.region_name`*:: + -- type: alias @@ -13016,7 +13001,7 @@ alias to: source.geo.region_name -- -*`saved.log.geoip.city_name`*:: +*`traefik.access.geoip.city_name`*:: + -- type: alias @@ -13025,7 +13010,7 @@ alias to: source.geo.city_name -- -*`saved.log.geoip.region_iso_code`*:: +*`traefik.access.geoip.region_iso_code`*:: + -- type: alias @@ -13034,192 +13019,235 @@ alias to: source.geo.region_iso_code -- -*`saved.log.arch`*:: +[[exported-fields-user]] +== User fields + +Section about user details. + + + +*`terminal`*:: + -- -type: alias +type: keyword + +Terminal or tty device on which the user is performing the observed activity. -alias to: host.architecture -- -*`saved.log.gid`*:: + +*`audit.id`*:: + -- -type: alias +type: keyword + +One or multiple unique identifiers of the user. -alias to: user.group.id -- -*`saved.log.uid`*:: +*`audit.name`*:: + -- -type: alias +type: keyword + +example: albert + +Short name or login of the user. -alias to: user.id -- -*`saved.log.agid`*:: +*`audit.group.id`*:: + -- -type: alias +type: keyword + +Unique identifier for the group on the system/platform. -alias to: user.audit.group.id -- -*`saved.log.auid`*:: +*`audit.group.name`*:: + -- -type: alias +type: keyword + +Name of the group. -alias to: user.audit.id -- -*`saved.log.fsgid`*:: + +*`effective.id`*:: + -- -type: alias +type: keyword + +One or multiple unique identifiers of the user. -alias to: user.filesystem.group.id -- -*`saved.log.fsuid`*:: +*`effective.name`*:: + -- -type: alias +type: keyword + +example: albert + +Short name or login of the user. -alias to: user.filesystem.id -- -*`saved.log.egid`*:: +*`effective.group.id`*:: + -- -type: alias +type: keyword + +Unique identifier for the group on the system/platform. -alias to: user.effective.group.id -- -*`saved.log.euid`*:: +*`effective.group.name`*:: + -- -type: alias +type: keyword + +Name of the group. -alias to: user.effective.id -- -*`saved.log.sgid`*:: + +*`filesystem.id`*:: + -- -type: alias +type: keyword + +One or multiple unique identifiers of the user. -alias to: user.saved.group.id -- -*`saved.log.suid`*:: +*`filesystem.name`*:: + -- -type: alias +type: keyword + +example: albert + +Short name or login of the user. -alias to: user.saved.id -- -*`saved.log.ogid`*:: +*`filesystem.group.id`*:: + -- -type: alias +type: keyword + +Unique identifier for the group on the system/platform. -alias to: user.owner.group.id -- -*`saved.log.ouid`*:: +*`filesystem.group.name`*:: + -- -type: alias +type: keyword + +Name of the group. -alias to: user.owner.id -- -*`saved.log.comm`*:: + +*`owner.id`*:: + -- -type: alias +type: keyword + +One or multiple unique identifiers of the user. -alias to: process.name -- -*`saved.log.exe`*:: +*`owner.name`*:: + -- -type: alias +type: keyword + +example: albert + +Short name or login of the user. -alias to: process.executable -- -*`saved.log.terminal`*:: +*`owner.group.id`*:: + -- -type: alias +type: keyword + +Unique identifier for the group on the system/platform. -alias to: user.terminal -- -*`saved.log.tty`*:: +*`owner.group.name`*:: + -- -type: alias +type: keyword + +Name of the group. -alias to: user.terminal -- -*`saved.log.msg`*:: + +*`saved.id`*:: + -- -type: alias +type: keyword + +One or multiple unique identifiers of the user. -alias to: message -- -*`saved.log.src`*:: +*`saved.name`*:: + -- -type: alias +type: keyword + +example: albert + +Short name or login of the user. -alias to: source.address -- -*`saved.log.addr`*:: +*`saved.group.id`*:: + -- -type: alias +type: keyword + +Unique identifier for the group on the system/platform. -alias to: source.address -- -*`saved.log.dst`*:: +*`saved.group.name`*:: + -- -type: alias +type: keyword + +Name of the group. -alias to: destination.address -- diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index e4f68c1df5a..cdc01dade44 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -69,7 +69,7 @@ filebeat.modules: # can be added under this section. #input: -#-------------------------------- Auditd Module -------------------------------- +#--------------------------------- User Module --------------------------------- #- module: auditd #log: #enabled: true diff --git a/filebeat/module/auditd/_meta/fields.yml b/filebeat/module/auditd/_meta/fields.yml index 976fafcfdb1..b351e5ef0f6 100644 --- a/filebeat/module/auditd/_meta/fields.yml +++ b/filebeat/module/auditd/_meta/fields.yml @@ -1,15 +1,3 @@ -- key: auditd - title: "Auditd" - description: > - Module for parsing auditd logs. - short_config: true - fields: - - name: auditd - type: group - description: > - Fields from the auditd logs. - fields: - - key: user title: "User" description: > @@ -126,3 +114,15 @@ type: keyword description: > Name of the group. + +- key: auditd + title: "Auditd" + description: > + Module for parsing auditd logs. + short_config: true + fields: + - name: auditd + type: group + description: > + Fields from the auditd logs. + fields: diff --git a/filebeat/module/auditd/fields.go b/filebeat/module/auditd/fields.go index 48d610274f3..73372f769fb 100644 --- a/filebeat/module/auditd/fields.go +++ b/filebeat/module/auditd/fields.go @@ -32,5 +32,5 @@ func init() { // AssetAuditd returns asset data. // This is the base64 encoded gzipped contents of module/auditd. func AssetAuditd() string { - return "eJzsWc+O2zYTv/spBvkuXw9Rc+phCxQoUAQI0KaHJGeDIkcysRRHIYf2qk9fkJJtWZJtWTZyqXkIYEX8/ZkZkRzue3jF5gVEUJrVCoA1G3yBd7+nB+9WAAq9dLpmTfYFflsBAPxFKhiEghzUwnltyw4ADJU+WwH4DTleS7KFLl+AXcAVQKHRKP+SIN6DFRX2iOPgpsYXKB2FunsyQR7Hx4QEhaMKeIND9jj2ZKvOYfDoev6+eXRn3H1BGX+CyClwmgcKWWiTsA+4fReMrtJWmBMfr9jsyKnLTr52M4EcMDegcKslAlnYbbTcJHdJgvZQoysovl6mx5R7dFtUICTrreYmW41Dezay/WT0Z2l1eDRt5IKZOP62GL1UwbCuDUKw+ntA0Aot60Kj80DFwVY24o//zlCAb6KqYyaFydHxPG1fYlUmhijRUKntqZiRmhSx7N6YfBvGIH06kTbhx2zHH77xjNXPtREc8zyOTatmZoQu6Injc4pCcVQxqB4sivgdbPFZQb1xtYKmU/ZfLKBCG2wFPSuoN54VdBjXKoh2Nu3Z8CyebjyL5zCuFY8XWzx/rnwWz7N4TotnSGeoHPH0K+gKy7BD+VPb8NYeySN0Bp+JQRjTVSIIh6BIhgoto4INOoQcpQgeT3B5g037cmNFpSUIq2ArXAN508HjFi0nxVlv6rDi+17JqLUIJ4meEcSPhypKjB54o33sU1JzYlQn59MfsbzUIeupm6mdjj9pBJowEmo2KdXi7tFSLe4OUjP4um8no3ApLOTY6p8S64REKAIHhwdkOrqMj0CnMtOu+wK4AbkRtkQP/zf6FUegOUpKPZ4j4p+moxAT5tE/OF8evY+N7+Mz9litMWFHrRl84kGigDWCGIEmH0yDhOVNH2zSgsfvAa0c5qpdFAzZ8jZzxxJrP9U9PNhQ5f2FuK9BM1Y3BjHytJBxrUsAoC2ILqjneW6nibPaJQa0VVoKRt/dYKT/osD79ZaJhRnqyiZQtd+/pT38g47e58Kj+hUEbIUJaQH/ABUK60HzvjgK7Twn0Gl/4sPt7lpM4cq0PO8/8XbHAimMOVJNc0rJk7UjjBbDpNaCN+111XCzi6PSpROt1u5WbUxXj5bHa2y1I4neZ+OZs/juIFzG6EbryTXCtuIpsKRFMXUoyal1pFnELNKd4gLiEknXk5TD0wic2eX7aJIsa4uW1xO1ddnN0ZGn4CRmJVJ2Fe+SxVNhwbJr1trTWpJ6iLSriHPFGZJiIn0LRF1AmivGYanJPih/l8FmJ09z86iCugB1Y4QeV0rXAc9JO3n1f/uuIEdDO9jFM74lBoWFthh3Tvgle4M8cPt/nrUxkGM8DNZUByMY1ZldzcnNjevShjxncZ5mlPFAtGRxunnhT/vaRGM5l3F89J/FuIhLLLSXznb3mJxocG4gXkRZ+IVmj9e89zgu/ELLPfpFxLjQ9uHPI/e4xoWmj+SLaJemOl2p3eN3aZJb4kWUtNBrunu+xyst9NoSL6KUVA1bt7nn8IWdBr7dehreE+IbysAiN0toB39uvym+Z+bOouXmBzNWfni1cI2xQu9FuSSo3skbuboTklDKoR++MmufU8r9aE7lb23FFXrWNuHO5P03AAD//6pKYB4=" + return "eJzsWkGP2zYTve+vGOS7fD2smlMPLlCgQBEgQJsekpwNihzJRCiOQo7sVX99QUq2ZVm2JdrIpeYhgGRx3nszTyRH2Vf4hu0KGo/uBYA1G1zBu68e3bsXAIVeOl2zJruC314AAD6jDJcgcmo4zgOFLLTx2QtAodEov3qJj76CFRWugNFV2goTbwJwW+MqwO7Iqf7eBFAYX/qZQA6YW1C41RKBLOw2Wm6AN9hR0B5qdAWFx8t4m3KPbosKhGS91dxmp6REozSfMCodNXV/Z69jT2Q/S6vDrWkhV8SE8bfFoKVqDOvaIDRWf28QtELLutDoPFBxkJWd4Yd/ZzDAN1HVoZLC5Oh4HrfPG3IcEQJFQ6W2p2TO2MSMZffm5Os4B1CEcm+wix+qHS586xmrn2sjONT5PDcdm5kZusInjE8xC8WRxcg9WBThPdji00GDcdNB0yX7Lxqo0AY7Qk8HDcbTQYdxy0G0s3HPhqd5+vE0z2HcMo8XW1RP8wzG0zyHMWWevk+Ip2Y16BR+jzcu9Ap/kWoMRkW1cD4czbsAIb+xX/Ah62tJttDlCtg1+HJqv5Pj+mXHXlD0IUaCwlEV1YzQ4YrXDZVnmRwi3sjjGPlPbZu3Dj+EzuATMQhjenwQDkGRbCq0jAo26BBylKLxeBKXN9h2D7dWVFqCsAq2wrWQt3143KLlyDgbTB3rHGolo9aiObHyDJt8OLwnEdEDb7QPnVhsv4zq6Xz8I7xA6uDr2K/VTodLOgsaY8So2SRVi7tHU7W4O1DN4MveJoG4FBZy7PhPkXVCIhQNNw4PkemoMtwCHV8k7fp3nFuQG2FL9PB/o7/hWdAcJcUu1hHxT9NZCAXz6B9cL4/eh9b+8RV7LNdQsCPXDD7yqFDAGkGcBY06mEYFy9thsEkJHr83aOW4Vt2iYMiWy8QdLda9qvvwYJsqH241Qw6asVqYxIDThQyreQwA2oLok3oZZzlMmNUtMaCt0lIw+v4bTfyJGt7vKEwszJhXNhFV+/1T2sM/6Og1Fx7VryBgK0wTt6j3UKGwHjTvzVFo5zkGndYn3i9X18UUrozL8/4V7/ZkkMKYI9Q0ppQ86R1htBgXtRa86T7IjbfzMCpdOtFx7XfLc7j6bHm8hVY7kuh9dj5zFt4dgGmI7mw9uQXYOZ4alpSUU4eSnFoHmCRkEb+aJgCXSLqehByfRuDCLj+MJsmytmh5PeGt62qOijw1TmJWImU3412TeEqssezatfa0lqQeQu1mxLnkDEkxUb4EUlcizSXjsNRkH1S/68FmF09z+yhDXQm1MEOPs9LtgJeonTz6v31XkKOhHezCGd8Sg8JCWww7J/ySvUHecPebZ20M5BgOgzXVjRGM6sKu5uRm4bq0Ic9ZmKcZZTgQpSxOixf+uK9NtM5zEc+P/rMQk7BEorx4trtH5ESDswA4CbLwiWKPH7LvUVz4RMkD+CRgTJR9+A+ge1RjougjeBJsaqnjR8N79KYWuQNOgqRErfHr+j1aKVFrB5wEKakat25zz+GJnQa+LT0N7wHxDWXDIjcpsKM/KFiU3wtzZ8Fy+4MRKz/+tHALsULvRZmSVO/kQqz+hCSUcujHj8za55RyPxrT1eSWNuM96MTMOYjKL8VT6FnbGPcOpSYhvQ9CTsjxEHlGov8NAAD///wiuR8=" }