<span class="pill kill-chain">msg</span>
<span class="pill kill-chain">type</span>
<span class="pill kill-chain">pid</span>
<span class="pill kill-chain">uid</span>
<span class="pill kill-chain">auid</span>
<span class="pill kill-chain">ses</span>
<span class="pill kill-chain">subj</span>
<span class="pill kill-chain">msg</span>
<span class="pill kill-chain">op</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">exe</span>
<span class="pill kill-chain">hostname</span>
<span class="pill kill-chain">addr</span>
<span class="pill kill-chain">terminal</span>
<span class="pill kill-chain">res</span>
<span class="pill kill-chain">UID</span>
<span class="pill kill-chain">AUID</span>
<span class="pill kill-chain">ID</span>
</div>
Data Source: Linux Auditd Add User
Description
Data source object for Linux Auditd Add User Type
Details
| Property | Value |
|---|---|
| Source | /var/log/audit/audit.log |
| Sourcetype | linux:audit |
Supported Apps
- Splunk Add-on for Unix and Linux (version 9.2.0)
Event Fields
Fields
Example Log
1type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000 ses=1 subj=unconfined msg='op=adding user id=1002 exe="/usr/sbin/useradd" hostname=ar-linux1 addr=? terminal=pts/1 res=success'UID="root" AUID="ubuntu" ID="unknown(1002)"
Source: GitHub | Version: 1