title: Elastic Auditbeat (from 7.x) index pattern and field mapping following Elastic enabled Modules order: 20 backends: - es-qs - es-dsl - es-rule - es-rule-eql - es-eql - kibana - kibana-ndjson - xpack-watcher - elastalert - elastalert-dsl - ee-outliers logsources: linux_auditd: product: linux service: auditd conditions: event.provider: auditd defaultindex: auditd-* fieldmappings: # https://github.com/linux-audit/audit-documentation/blob/main/specs/fields/field-dictionary.csv #a[0-3]: a[0-3] #a[[:digit:]+]\[.*\]: a[[:digit:]+]\[.*\] a0: process.args a1: process.args a2: process.args a3: process.args acct: acct acl: acl action: action added: added addr: addr apparmor: apparmor arch: arch argc: argc audit_backlog_limit: audit_backlog_limit audit_backlog_wait_time: audit_backlog_wait_time audit_enabled: audit_enabled audit_failure: audit_failure auid: auid banners: banners bool: bool bus: bus capability: capability cap_fe: cap_fe cap_fi: cap_fi cap_fp: cap_fp cap_fver: cap_fver cap_pa: cap_pa cap_pe: cap_pe cap_pi: cap_pi cap_pp: cap_pp category: category cgroup: cgroup changed: changed cipher: cipher class: class cmd: cmd code: code comm: comm compat: compat cwd: cwd daddr: daddr data: data default-context: default-context dev: dev device: device dir: dir direction: direction dmac: dmac dport: dport egid: egid enforcing: enforcing entries: entries errno: errno euid: euid exe: process.executable exit: exit fam: fam family: family fd: fd file: file flags: flags fe: fe feature: feature fi: fi fp: fp format: format fsgid: fsgid fsuid: fsuid fver: fver gid: gid grantors: grantors grp: grp hook: hook hostname: hostname icmp_type: icmp_type id: id igid: igid img-ctx: img-ctx inif: inif ip: ip ipid: ipid ino: ino inode: inode inode_gid: inode_gid inode_uid: inode_uid invalid_context: invalid_context ioctlcmd: ioctlcmd ipx-net: ipx-net item: item items: items iuid: iuid kernel: kernel key: key kind: kind ksize: ksize laddr: laddr len: len lport: lport list: list mac: mac macproto: macproto maj: maj major: major minor: minor mode: mode model: model msg: msg nargs: nargs name: name nametype: nametype net: net new: new new-chardev: new-chardev new-disk: new-disk new-enabled: new-enabled new-fs: new-fs new_gid: new_gid new-level: new-level new_lock: new_lock new-log_passwd: new-log_passwd new-mem: new-mem new-net: new-net new_pe: new_pe new_pi: new_pi new_pp: new_pp new-range: new-range new-rng: new-rng new-role: new-role new-seuser: new-seuser new-vcpu: new-vcpu nlnk-fam: nlnk-fam nlnk-grp: nlnk-grp nlnk-pid: nlnk-pid oauid: oauid obj: obj obj_gid: obj_gid obj_uid: obj_uid oflag: oflag ogid: ogid ocomm: ocomm old: old old-auid: old-auid old-chardev: old-chardev old-disk: old-disk old-enabled: old-enabled old_enforcing: old_enforcing old-fs: old-fs old-level: old-level old_lock: old_lock old-log_passwd: old-log_passwd old-mem: old-mem old-net: old-net old_pa: old_pa old_pe: old_pe old_pi: old_pi old_pp: old_pp old_prom: old_prom old-range: old-range old-rng: old-rng old-role: old-role old-ses: old-ses old-seuser: old-seuser old_val: old_val old-vcpu: old-vcpu op: op opid: opid oses: oses ouid: ouid outif: outif pa: pa pe: pe pi: pi pp: pp parent: parent path: path per: per perm: perm perm_mask: perm_mask permissive: permissive pfs: pfs pid: pid ppid: ppid printer: printer prom: prom proctitle: proctitle proto: proto qbytes: qbytes range: range rdev: rdev reason: reason removed: removed res: res resrc: resrc result: result role: role rport: rport saddr: saddr sauid: sauid scontext: scontext selected-context: selected-context seperm: seperm seqno: seqno seperms: seperms seresult: seresult ses: ses seuser: seuser sgid: sgid sig: sig sigev_signo: sigev_signo smac: smac spid: spid sport: sport state: state subj: subj success: success suid: suid syscall: syscall table: table tclass: tclass tcontext: tcontext terminal: terminal tty: tty type: type uid: uid unit: unit uri: uri user: user uuid: uuid val: val ver: ver virt: virt vm: vm vm-ctx: vm-ctx vm-pid: vm-pid watch: watch