Data Source: Linux Auditd Daemon Start

Date: 2025-06-06

ID: f1b97407-ddf0-41a5-8685-ada05aae3555

Author: Teoderick Contreras, Splunk

Description

Logs the execution of processes on a Linux system, including details about the auditd daemon status.

Details

Property	Value
Source	`auditd`
Sourcetype	`auditd`
Separator	type

Supported Apps

Splunk Add-on for Unix and Linux (version 10.1.0)

Event Fields

+ Fields

  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">op</span>
  
  <span class="pill kill-chain">res</span>
  
  <span class="pill kill-chain">auid</span>
  
  <span class="pill kill-chain">pid</span>
  
</div>

Example Log

1type=DAEMON_START msg=audit(06/05/2025 11:03:38.949:6844) : op=start ver=3.0.7 format=enriched kernel=6.8.0-1029-aws auid=unset pid=61323 uid=root ses=unset subj=unconfined  res=success

Source: GitHub | Version: 2