Data Source: Linux Auditd Execve

Date: 2025-02-20

ID: 9ef6364d-cc67-480e-8448-3306829a6a24

Author: Teoderick Contreras, Splunk

Description

Logs the execution of processes on a Linux system, including details about the executed command, arguments, and the initiating process.

Details

Property	Value
Source	`auditd`
Sourcetype	`auditd`
Separator	type

Supported Apps

Splunk Add-on for Unix and Linux (version 10.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">argc</span>
  
</div>

Example Log

1type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so" a2="./prog"

Source: GitHub | Version: 2