V1D1AN
252 lines
6.8 KiB
YAML
252 lines
6.8 KiB
YAML
title: Elastic Auditbeat (from 7.x) index pattern and field mapping
|
|
order: 20
|
|
backends:
|
|
- es-qs
|
|
- es-dsl
|
|
- es-rule
|
|
- es-rule-eql
|
|
- es-eql
|
|
- kibana
|
|
- kibana-ndjson
|
|
- xpack-watcher
|
|
- elastalert
|
|
- elastalert-dsl
|
|
- ee-outliers
|
|
|
|
logsources:
|
|
linux_auditd:
|
|
product: linux
|
|
service: auditd
|
|
conditions:
|
|
event.module: auditd
|
|
|
|
defaultindex: auditbeat-*
|
|
|
|
fieldmappings:
|
|
# https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields-auditd.html
|
|
a0: auditd.data.a0
|
|
a1: auditd.data.a1
|
|
a2: auditd.data.a2
|
|
a3: auditd.data.a3
|
|
acct: auditd.data.acct
|
|
acl: auditd.data.acl
|
|
action: auditd.data.action
|
|
added: auditd.data.added
|
|
addr: auditd.data.socket.addr
|
|
apparmor: auditd.data.apparmor
|
|
arch: auditd.data.arch
|
|
argc: auditd.data.argc
|
|
audit_backlog_limit: auditd.data.audit_backlog_limit
|
|
audit_backlog_wait_time: auditd.data.audit_backlog_wait_time
|
|
audit_enabled: auditd.data.audit_enabled
|
|
audit_failure: auditd.data.audit_failure
|
|
auid: user.auid
|
|
banners: auditd.data.banners
|
|
bool: auditd.data.bool
|
|
bus: auditd.data.bus
|
|
capability: auditd.data.capability
|
|
cap_fe: auditd.data.cap_fe
|
|
cap_fi: auditd.data.cap_fi
|
|
cap_fp: auditd.data.cap_fp
|
|
cap_fver: auditd.data.cap_fver
|
|
cap_pa: auditd.data.cap_pa
|
|
cap_pe: auditd.data.cap_pe
|
|
cap_pi: auditd.data.cap_pi
|
|
cap_pp: auditd.data.cap_pp
|
|
category: user.selinux.category
|
|
cgroup: auditd.data.cgroup
|
|
changed: auditd.data.changed
|
|
cipher: auditd.data.cipher
|
|
class: auditd.data.class
|
|
cmd: auditd.data.cmd
|
|
code: auditd.data.code
|
|
comm: auditd.data.comm
|
|
compat: auditd.data.compat
|
|
cwd: process.cwd
|
|
daddr: auditd.data.daddr
|
|
data: auditd.data.data
|
|
default-context: auditd.data.default-context
|
|
dev: auditd.paths.dev
|
|
device: auditd.data.device
|
|
dir: auditd.data.dir
|
|
direction: auditd.data.direction
|
|
dmac: auditd.data.dmac
|
|
dport: auditd.data.dport
|
|
enforcing: auditd.data.enforcing
|
|
entries: auditd.data.entries
|
|
exe: process.executable
|
|
exit: auditd.data.exit
|
|
fam: auditd.data.fam
|
|
family: auditd.data.family
|
|
fd: auditd.data.fd
|
|
file: auditd.data.file
|
|
flags: auditd.data.flags
|
|
fe: auditd.data.fe
|
|
feature: auditd.data.feature
|
|
fi: auditd.data.fi
|
|
fp: auditd.data.fp
|
|
format: auditd.data.format
|
|
fsgid: user.fsgid
|
|
fsuid: user.fsuid
|
|
fver: auditd.data.fver
|
|
gid: user.gid
|
|
grantors: auditd.data.grantors
|
|
grp: auditd.data.grp
|
|
hook: auditd.data.hook
|
|
hostname: auditd.data.hostname
|
|
icmp_type: auditd.data.icmp_type
|
|
id: auditd.data.id
|
|
igid: auditd.data.igid
|
|
img-ctx: auditd.data.img-ctx
|
|
inif: auditd.data.inif
|
|
ip: auditd.data.ip
|
|
ipid: auditd.data.ipid
|
|
ino: auditd.data.ino
|
|
inode: auditd.paths.inode
|
|
inode_gid: auditd.data.inode_gid
|
|
inode_uid: auditd.data.inode_uid
|
|
invalid_context: auditd.data.invalid_context
|
|
ioctlcmd: auditd.data.ioctlcmd
|
|
ipx-net: auditd.data.ipx-net
|
|
item: auditd.paths.item
|
|
items: auditd.data.items
|
|
iuid: auditd.data.iuid
|
|
kernel: auditd.data.kernel
|
|
kind: auditd.data.kind
|
|
ksize: auditd.data.ksize
|
|
laddr: auditd.data.laddr
|
|
len: auditd.data.len
|
|
lport: auditd.data.lport
|
|
list: auditd.data.list
|
|
mac: auditd.data.mac
|
|
macproto: auditd.data.macproto
|
|
maj: auditd.data.maj
|
|
major: auditd.data.major
|
|
minor: auditd.data.minor
|
|
mode: auditd.paths.mode
|
|
model: auditd.data.model
|
|
msg: auditd.data.msg
|
|
nargs: auditd.data.nargs
|
|
name: auditd.paths.name
|
|
nametype: auditd.paths.nametype
|
|
net: auditd.data.net
|
|
new: auditd.data.new
|
|
new-chardev: auditd.data.new-chardev
|
|
new-disk: auditd.data.new-disk
|
|
new-enabled: auditd.data.new-enabled
|
|
new-fs: auditd.data.new-fs
|
|
new_gid: auditd.data.new_gid
|
|
new-level: auditd.data.new-level
|
|
new_lock: auditd.data.new_lock
|
|
new-log_passwd: auditd.data.new-log_passwd
|
|
new-mem: auditd.data.new-mem
|
|
new-net: auditd.data.new-net
|
|
new_pe: auditd.data.new_pe
|
|
new_pi: auditd.data.new_pi
|
|
new_pp: auditd.data.new_pp
|
|
new-range: auditd.data.new-range
|
|
new-rng: auditd.data.new-rng
|
|
new-role: auditd.data.new-role
|
|
new-seuser: auditd.data.new-seuser
|
|
new-vcpu: auditd.data.new-vcpu
|
|
nlnk-fam: auditd.data.nlnk-fam
|
|
nlnk-grp: auditd.data.nlnk-grp
|
|
nlnk-pid: auditd.data.nlnk-pid
|
|
oauid: auditd.data.oauid
|
|
obj: auditd.data.obj
|
|
obj_gid: auditd.data.obj_gid
|
|
obj_uid: auditd.data.obj_uid
|
|
oflag: auditd.data.oflag
|
|
ogid: auditd.paths.ogid
|
|
ocomm: auditd.data.ocomm
|
|
old: auditd.data.old
|
|
old-auid: auditd.data.old-auid
|
|
old-chardev: auditd.data.old-chardev
|
|
old-disk: auditd.data.old-disk
|
|
old-enabled: auditd.data.old-enabled
|
|
old_enforcing: auditd.data.old_enforcing
|
|
old-fs: auditd.data.old-fs
|
|
old-level: auditd.data.old-level
|
|
old_lock: auditd.data.old_lock
|
|
old-log_passwd: auditd.data.old-log_passwd
|
|
old-mem: auditd.data.old-mem
|
|
old-net: auditd.data.old-net
|
|
old_pa: auditd.data.old_pa
|
|
old_pe: auditd.data.old_pe
|
|
old_pi: auditd.data.old_pi
|
|
old_pp: auditd.data.old_pp
|
|
old_prom: auditd.data.old_prom
|
|
old-range: auditd.data.old-range
|
|
old-rng: auditd.data.old-rng
|
|
old-role: auditd.data.old-role
|
|
old-ses: auditd.data.old-ses
|
|
old-seuser: auditd.data.old-seuser
|
|
old_val: auditd.data.old_val
|
|
old-vcpu: auditd.data.old-vcpu
|
|
op: auditd.data.op
|
|
opid: auditd.data.opid
|
|
oses: auditd.data.oses
|
|
ouid: auditd.paths.ouid
|
|
outif: auditd.data.outif
|
|
parent: auditd.data.parent
|
|
path: source.path
|
|
per: auditd.data.per
|
|
perm: auditd.data.perm
|
|
perm_mask: auditd.data.perm_mask
|
|
permissive: auditd.data.permissive
|
|
pfs: auditd.data.pfs
|
|
printer: auditd.data.printer
|
|
prom: auditd.data.prom
|
|
proctitle: proctitle
|
|
proto: auditd.data.proto
|
|
qbytes: auditd.data.qbytes
|
|
range: auditd.data.range
|
|
rdev: auditd.paths.rdev
|
|
reason: auditd.data.reason
|
|
removed: auditd.data.removed
|
|
res: auditd.data.res
|
|
resrc: auditd.data.resrc
|
|
result: auditd.result
|
|
role: user.selinux.role
|
|
rport: auditd.data.rport
|
|
saddr: auditd.data.socket.saddr
|
|
sauid: auditd.data.sauid
|
|
scontext: auditd.data.scontext
|
|
selected-context: auditd.data.selected-context
|
|
seperm: auditd.data.seperm
|
|
seqno: auditd.data.seqno
|
|
seperms: auditd.data.seperms
|
|
seresult: auditd.data.seresult
|
|
ses: auditd.data.ses
|
|
seuser: auditd.data.seuser
|
|
sgid: user.sgid
|
|
sig: auditd.data.sig
|
|
sigev_signo: auditd.data.sigev_signo
|
|
smac: auditd.data.smac
|
|
spid: auditd.data.spid
|
|
sport: auditd.data.sport
|
|
state: auditd.data.state
|
|
subj: auditd.data.subj
|
|
success: auditd.data.success
|
|
suid: user.suid
|
|
syscall: auditd.data.syscall
|
|
table: auditd.data.table
|
|
TargetFileName: auditd.data.file
|
|
tclass: auditd.data.tclass
|
|
tcontext: auditd.data.tcontext
|
|
terminal: auditd.data.terminal
|
|
tty: auditd.data.tty
|
|
type: user.selinux.domain
|
|
uid: user.uid
|
|
unit: auditd.data.unit
|
|
uri: auditd.data.uri
|
|
user: user.selinux.user
|
|
uuid: auditd.data.uuid
|
|
val: auditd.data.val
|
|
ver: auditd.data.ver
|
|
ssvirt: auditd.data.virt
|
|
vm: auditd.data.vm
|
|
vm-ctx: auditd.data.vm-ctx
|
|
vm-pid: auditd.data.vm-pid
|
|
watch: auditd.data.watch
|