Data Source: Linux Auditd Daemon Abort

Date: 2025-06-06

ID: cc8b3bb0-0fae-4236-9c61-fe2d7138bd63

Author: Teoderick Contreras, Splunk

Description

Logs the execution of processes on a Linux system, including details about the auditd daemon status.

Details

Property	Value
Source	`auditd`
Sourcetype	`auditd`
Separator	type

Supported Apps

Splunk Add-on for Unix and Linux (version 10.1.0)

Event Fields

+ Fields

  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">op</span>
  
  <span class="pill kill-chain">res</span>
  
  <span class="pill kill-chain">pid</span>
  
  <span class="pill kill-chain">uid</span>
  
</div>

Example Log

1type=DAEMON_ABORT msg=audit(06/05/2025 11:03:38.453:6845) : op=set-pid auid=unset pid=61314 uid=root ses=unset subj=unconfined  res=failed

Source: GitHub | Version: 2