ContextQMD
Back to Beats

System fields [exported-fields-system]

docs/reference/auditbeat/exported-fields-system.md

9.4.05.9 KB
Original Source

% This file is generated! See dev-tools/mage/generate_fields_docs.go

System fields [exported-fields-system]

These are the fields generated by the system module.

event.origin : Origin of the event. This can be a file path (e.g. /var/log/log.1), or the name of the system component that supplied the data (e.g. netlink).

type: keyword

user.entity_id : ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.

type: keyword

user.terminal : Terminal of the user.

type: keyword

process.thread.capabilities.effective : This is the set of capabilities used by the kernel to perform permission checks for the thread.

type: keyword

example: ["CAP_BPF", "CAP_SYS_ADMIN"]

process.thread.capabilities.permitted : This is a limiting superset for the effective capabilities that the thread may assume.

type: keyword

example: ["CAP_BPF", "CAP_SYS_ADMIN"]

hash [_hash]

Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values.

process.hash.blake2b_256 : BLAKE2b-256 hash of the executable.

type: keyword

process.hash.blake2b_384 : BLAKE2b-384 hash of the executable.

type: keyword

process.hash.blake2b_512 : BLAKE2b-512 hash of the executable.

type: keyword

process.hash.sha224 : SHA224 hash of the executable.

type: keyword

process.hash.sha384 : SHA384 hash of the executable.

type: keyword

process.hash.sha3_224 : SHA3_224 hash of the executable.

type: keyword

process.hash.sha3_256 : SHA3_256 hash of the executable.

type: keyword

process.hash.sha3_384 : SHA3_384 hash of the executable.

type: keyword

process.hash.sha3_512 : SHA3_512 hash of the executable.

type: keyword

process.hash.sha512_224 : SHA512/224 hash of the executable.

type: keyword

process.hash.sha512_256 : SHA512/256 hash of the executable.

type: keyword

process.hash.xxh64 : XX64 hash of the executable.

type: keyword

system.audit [_system.audit]

host [_host]

{applies_to}
stack: beta

host contains general host information.

system.audit.host.uptime : Uptime in nanoseconds.

type: long

format: duration

system.audit.host.boottime : Boot time.

type: date

system.audit.host.containerized : Set if host is a container.

type: boolean

system.audit.host.timezone.name : Name of the timezone of the host, e.g. BST.

type: keyword

system.audit.host.timezone.offset.sec : Timezone offset in seconds.

type: long

system.audit.host.hostname : Hostname.

type: keyword

system.audit.host.id : Host ID.

type: keyword

system.audit.host.architecture : Host architecture (e.g. x86_64).

type: keyword

system.audit.host.mac : MAC addresses.

type: keyword

system.audit.host.ip : IP addresses.

type: ip

os [_os]

os contains information about the operating system.

system.audit.host.os.codename : OS codename, if any (e.g. stretch).

type: keyword

system.audit.host.os.platform : OS platform (e.g. centos, ubuntu, windows).

type: keyword

system.audit.host.os.name : OS name (e.g. Mac OS X).

type: keyword

system.audit.host.os.family : OS family (e.g. redhat, debian, freebsd, windows).

type: keyword

system.audit.host.os.version : OS version.

type: keyword

system.audit.host.os.kernel : The operating system's kernel version.

type: keyword

system.audit.host.os.type : OS type (see ECS os.type).

type: keyword

package [_package]

{applies_to}
stack: beta

package contains information about an installed or removed package.

system.audit.package.entity_id : ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version.

type: keyword

system.audit.package.name : Package name.

type: keyword

system.audit.package.version : Package version.

type: keyword

system.audit.package.release : Package release.

type: keyword

system.audit.package.arch : Package architecture.

type: keyword

system.audit.package.license : Package license.

type: keyword

system.audit.package.installtime : Package install time.

type: date

system.audit.package.size : Package size.

type: long

system.audit.package.summary : Package summary.

system.audit.package.url : Package URL.

type: keyword

user [_user]

{applies_to}
stack: beta

user contains information about the users on a system.

system.audit.user.name : User name.

type: keyword

system.audit.user.uid : User ID.

type: keyword

system.audit.user.gid : Group ID.

type: keyword

system.audit.user.dir : User's home directory.

type: keyword

system.audit.user.shell : Program to run at login.

type: keyword

system.audit.user.user_information : General user information. On Linux, this is the gecos field.

type: keyword

system.audit.user.group : group contains information about any groups the user is part of (beyond the user's primary group).

type: object

password [_password]

password contains information about a user's password (not the password itself).

system.audit.user.password.type : A user's password type. Possible values are shadow_password (the password hash is in the shadow file), password_disabled, no_password (this is dangerous as anyone can log in), and crypt_password (when the password field in /etc/passwd seems to contain an encrypted password).

type: keyword

system.audit.user.password.last_changed : The day the user's password was last changed.

type: date