Data Source: Linux Auditd Path

Description

Logs file system access events on a Linux system, including details about file paths, permissions, and associated processes.

Details

Property Value
Source auditd
Sourcetype auditd
Separator type

Supported Apps

Event Fields

+ Fields
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">item</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">inode</span>
  
  <span class="pill kill-chain">dev</span>
  
  <span class="pill kill-chain">mode</span>
  
  <span class="pill kill-chain">ouid</span>
  
  <span class="pill kill-chain">ogid</span>
  
  <span class="pill kill-chain">rdev</span>
  
  <span class="pill kill-chain">nametype</span>
  
  <span class="pill kill-chain">cap_fp</span>
  
  <span class="pill kill-chain">cap_fi</span>
  
  <span class="pill kill-chain">cap_fe</span>
  
  <span class="pill kill-chain">cap_fver</span>
  
  <span class="pill kill-chain">cap_frootid</span>
  
  <span class="pill kill-chain">OUID</span>
  
  <span class="pill kill-chain">OGID</span>
  
</div>

Example Log

1type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~" inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"

Source: GitHub | Version: 2