From 43463f17fc270290825f4e5f4823af9a7a471060 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Fri, 14 Feb 2020 15:06:19 -0600 Subject: [PATCH] [Filebeat] Improve ECS field mapping for auditd module (#16280) * Improve ECS field mapping for auditd module - event.kind - event.type - event.category - container.name - container.runtime - process.args_count - process.exit_code - process.working_directory Closes #16153 --- CHANGELOG.next.asciidoc | 1 + .../module/auditd/log/ingest/pipeline.yml | 76 +++++- .../log/test/audit-rhel6.log-expected.json | 35 ++- .../log/test/audit-rhel7.log-expected.json | 228 +++++++++++++----- filebeat/module/auditd/log/test/test.log | 8 + .../auditd/log/test/test.log-expected.json | 203 +++++++++++++++- 6 files changed, 474 insertions(+), 77 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f27da3eed4a..a3e300f3b58 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -124,6 +124,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add ECS categorization fields to activemq module. {issue}16151[16151] {pull}16201[16201] - Add a TLS test and more debug output to httpjson input {pull}16315[16315] - Add an SSL config example in config.yml for filebeat MISP module. {pull}16320[16320] +- Improve ECS categorization, container & process field mappings in auditd module. {issue}16153[16153] {pull}16280[16280] *Heartbeat* diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml index 160c8af81f7..061821fd3aa 100644 --- a/filebeat/module/auditd/log/ingest/pipeline.yml +++ b/filebeat/module/auditd/log/ingest/pipeline.yml @@ -11,7 +11,7 @@ processors: - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} old auid=%{NUMBER:auditd.log.old_auid} new auid=%{NUMBER:auditd.log.new_auid} old ses=%{NUMBER:auditd.log.old_ses} new ses=%{NUMBER:auditd.log.new_ses}" - - '%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} msg=[''"](%{DATA:auditd.log.msg}\s+)?%{AUDIT_KEY_VALUES:auditd.log.sub_kv}[''"]' + - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv} msg=['\"]%{AUDIT_KEY_VALUES:auditd.log.sub_kv}['\"]" - "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:auditd.log.kv}" - "%{AUDIT_PREFIX}" - "%{AUDIT_TYPE} %{AUDIT_KEY_VALUES:auditd.log.kv}" @@ -132,6 +132,61 @@ processors: params: single_quote: "'" double_quote: "\"" +- set: + field: event.kind + value: event +- set: + if: "ctx.auditd.log?.record_type == 'USER_AUTH'" + field: event.type + value: authentication +- set: + if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" + field: event.type + value: driver +- set: + if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" + field: event.type + value: package +- set: + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + field: event.type + value: host +- set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.type + value: process +- set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' || ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" + field: event.category + value: host +- set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'start'" + field: event.type + value: start +- set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'stop'" + field: event.type + value: end +- set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'create'" + field: event.type + value: creation +- set: + if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' && ctx.auditd.log?.op == 'delete'" + field: event.type + value: deletion +- set: + if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" + field: event.type + value: creation +- set: + if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID' && ctx.auditd.log?.vm != null" + field: container.name + value: "{{ auditd.log.vm }}" +- set: + if: "ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID' && ctx.auditd.log?.virt != null" + field: container.runtime + value: "{{ auditd.log.virt }}" - rename: ignore_failure: true field: auditd.log.arch @@ -220,6 +275,25 @@ processors: ignore_failure: true field: process.args separator: "\\s+" +- script: + if: "ctx?.process?.args != null" + lang: painless + source: >- + if (ctx.process.args instanceof List) { + ctx.process.args_count = ctx.process.args.length; + } +- rename: + ignore_failure: true + field: auditd.log.exit + target_field: process.exit_code +- convert: + ignore_missing: true + field: process.exit_code + type: long +- rename: + ignore_missing: true + field: auditd.log.cwd + target_field: process.working_directory - rename: ignore_failure: true field: auditd.log.terminal diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index d1e1f176129..a7bdfe6b83d 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -1,16 +1,17 @@ [ { "@timestamp": "2017-03-14T19:20:30.178Z", + "auditd.log.op": "PAM:session_close", "auditd.log.sequence": 19600327, "auditd.log.ses": "11988", "event.action": "user_end", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 0, - "message": "op=PAM:session_close", "process.executable": "/usr/bin/sudo", "process.pid": 4121, "service.type": "auditd", @@ -20,16 +21,17 @@ }, { "@timestamp": "2017-03-14T19:20:30.178Z", + "auditd.log.op": "PAM:setcred", "auditd.log.sequence": 19600328, "auditd.log.ses": "11988", "event.action": "cred_disp", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 189, - "message": "op=PAM:setcred", "process.executable": "/usr/bin/sudo", "process.pid": 4121, "service.type": "auditd", @@ -43,34 +45,37 @@ "auditd.log.ses": "11988", "event.action": "user_cmd", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 373, - "message": "cwd=\"/", "process.args": [ "/usr/lib64/nagios/plugins/check_asterisk_sip_peers", "-p", "202" ], + "process.args_count": 3, "process.pid": 4151, + "process.working_directory": "/", "service.type": "auditd", "user.audit.id": "700", "user.id": "497" }, { "@timestamp": "2017-03-14T19:20:56.193Z", + "auditd.log.op": "PAM:setcred", "auditd.log.sequence": 19600330, "auditd.log.ses": "11988", "event.action": "cred_acq", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 620, - "message": "op=PAM:setcred", "process.executable": "/usr/bin/sudo", "process.pid": 4151, "service.type": "auditd", @@ -80,16 +85,17 @@ }, { "@timestamp": "2017-03-14T19:20:56.193Z", + "auditd.log.op": "PAM:session_open", "auditd.log.sequence": 19600331, "auditd.log.ses": "11988", "event.action": "user_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 803, - "message": "op=PAM:session_open", "process.executable": "/usr/bin/sudo", "process.pid": 4151, "service.type": "auditd", @@ -107,6 +113,7 @@ "destination.address": "10.100.4.0", "event.action": "mac_ipsec_event", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "1", "fileset.name": "log", @@ -123,7 +130,6 @@ "auditd.log.a1": "7f564ee6d2a0", "auditd.log.a2": "b8", "auditd.log.a3": "0", - "auditd.log.exit": "184", "auditd.log.items": "0", "auditd.log.sequence": 19600354, "auditd.log.ses": "4294967295", @@ -132,12 +138,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 1162, "process.executable": "/usr/libexec/strongswan/charon (deleted)", + "process.exit_code": 184, "process.name": "charon", "process.pid": 1275, "process.ppid": 1240, @@ -161,6 +169,7 @@ "auditd.log.sequence": 19623791, "event.action": "login", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -176,18 +185,19 @@ "auditd.log.kind": "session", "auditd.log.laddr": "107.170.139.210", "auditd.log.lport": "50022", + "auditd.log.op": "destroy", "auditd.log.rport": "58994", "auditd.log.sequence": 19623788, "auditd.log.ses": "6793", "auditd.log.spid": "28282", "event.action": "crypto_key_user", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 1640, - "message": "op=destroy", "process.executable": "/usr/sbin/sshd", "process.pid": 28281, "service.type": "auditd", @@ -198,16 +208,18 @@ { "@timestamp": "2017-03-16T04:02:40.072Z", "auditd.log.addr": "96.241.146.97", + "auditd.log.op": "success", "auditd.log.sequence": 19623789, "auditd.log.ses": "6793", "event.action": "user_auth", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", + "event.type": "authentication", "fileset.name": "log", "input.type": "log", "log.offset": 1926, - "message": "op=success", "process.executable": "/usr/sbin/sshd", "process.pid": 28281, "service.type": "auditd", @@ -218,16 +230,18 @@ }, { "@timestamp": "2017-03-16T04:02:57.804Z", + "auditd.log.op": "PAM:authentication", "auditd.log.sequence": 19623807, "auditd.log.ses": "12286", "event.action": "user_auth", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", + "event.type": "authentication", "fileset.name": "log", "input.type": "log", "log.offset": 2122, - "message": "op=PAM:authentication", "process.executable": "/bin/su", "process.pid": 28395, "service.type": "auditd", @@ -238,16 +252,17 @@ }, { "@timestamp": "2017-03-16T04:02:57.805Z", + "auditd.log.op": "PAM:accounting", "auditd.log.sequence": 19623808, "auditd.log.ses": "12286", "event.action": "user_acct", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 2312, - "message": "op=PAM:accounting", "process.executable": "/bin/su", "process.pid": 28395, "service.type": "auditd", diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json index af830799822..64ddfa2cc49 100644 --- a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json @@ -8,6 +8,7 @@ "auditd.log.ver": "2.4.1", "event.action": "daemon_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", @@ -22,14 +23,15 @@ "auditd.log.sequence": 6, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "auditd", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 190, - "message": "unit=auditd", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -44,11 +46,14 @@ "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", + "event.type": "host", "fileset.name": "log", "input.type": "log", "log.offset": 419, + "message": "", "process.executable": "/usr/lib/systemd/systemd-update-utmp", "process.name": "systemd-update-utmp", "process.pid": 273, @@ -61,14 +66,15 @@ "auditd.log.sequence": 8, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "systemd-update-utmp", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 661, - "message": "unit=systemd-update-utmp", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -81,14 +87,15 @@ "auditd.log.sequence": 9, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "systemd-hwdb-update", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 903, - "message": "unit=systemd-hwdb-update", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -101,14 +108,15 @@ "auditd.log.sequence": 10, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "systemd-update-done", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 1145, - "message": "unit=systemd-update-done", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -121,14 +129,15 @@ "auditd.log.sequence": 11, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "systemd-udev-trigger", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 1388, - "message": "unit=systemd-udev-trigger", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -141,14 +150,15 @@ "auditd.log.sequence": 12, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "irqbalance", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 1632, - "message": "unit=irqbalance", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -161,14 +171,15 @@ "auditd.log.sequence": 13, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "avahi-daemon", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 1866, - "message": "unit=avahi-daemon", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -181,14 +192,15 @@ "auditd.log.sequence": 14, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "dbus", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 2102, - "message": "unit=dbus", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -201,14 +213,15 @@ "auditd.log.sequence": 15, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "rsyslog", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 2330, - "message": "unit=rsyslog", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -221,14 +234,15 @@ "auditd.log.sequence": 16, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "irqbalance", "event.action": "service_stop", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 2561, - "message": "unit=irqbalance", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -244,6 +258,7 @@ "auditd.log.table": "filter", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -256,7 +271,6 @@ "auditd.log.a1": "41a15c", "auditd.log.a2": "0", "auditd.log.a3": "0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 17, "auditd.log.ses": "4294967295", @@ -266,12 +280,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 2875, "process.executable": "/usr/bin/kmod", + "process.exit_code": 0, "process.name": "modprobe", "process.pid": 391, "process.ppid": 390, @@ -294,6 +310,7 @@ "auditd.log.table": "raw", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -306,7 +323,6 @@ "auditd.log.a1": "41a15c", "auditd.log.a2": "0", "auditd.log.a3": "0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 18, "auditd.log.ses": "4294967295", @@ -316,12 +332,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 3271, "process.executable": "/usr/bin/kmod", + "process.exit_code": 0, "process.name": "modprobe", "process.pid": 396, "process.ppid": 395, @@ -344,6 +362,7 @@ "auditd.log.table": "security", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -356,7 +375,6 @@ "auditd.log.a1": "41a15c", "auditd.log.a2": "0", "auditd.log.a3": "0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 19, "auditd.log.ses": "4294967295", @@ -366,12 +384,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 3672, "process.executable": "/usr/bin/kmod", + "process.exit_code": 0, "process.name": "modprobe", "process.pid": 399, "process.ppid": 398, @@ -394,6 +414,7 @@ "auditd.log.table": "mangle", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -406,7 +427,6 @@ "auditd.log.a1": "41a15c", "auditd.log.a2": "0", "auditd.log.a3": "0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 20, "auditd.log.ses": "4294967295", @@ -416,12 +436,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 4071, "process.executable": "/usr/bin/kmod", + "process.exit_code": 0, "process.name": "modprobe", "process.pid": 402, "process.ppid": 401, @@ -444,6 +466,7 @@ "auditd.log.table": "nat", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -456,7 +479,6 @@ "auditd.log.a1": "41a15c", "auditd.log.a2": "0", "auditd.log.a3": "3", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 21, "auditd.log.ses": "4294967295", @@ -466,12 +488,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 4467, "process.executable": "/usr/bin/kmod", + "process.exit_code": 0, "process.name": "modprobe", "process.pid": 407, "process.ppid": 406, @@ -491,14 +515,15 @@ "auditd.log.sequence": 22, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "yum-cron", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 4785, - "message": "unit=yum-cron", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -511,14 +536,15 @@ "auditd.log.sequence": 23, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "rhel-dmesg", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 5017, - "message": "unit=rhel-dmesg", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -531,14 +557,15 @@ "auditd.log.sequence": 24, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "acpid", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 5251, - "message": "unit=acpid", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -551,14 +578,15 @@ "auditd.log.sequence": 25, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "systemd-user-sessions", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 5480, - "message": "unit=systemd-user-sessions", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -571,14 +599,15 @@ "auditd.log.sequence": 26, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "ntpd", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 5725, - "message": "unit=ntpd", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -594,6 +623,7 @@ "auditd.log.table": "filter", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -606,7 +636,6 @@ "auditd.log.a1": "41a15c", "auditd.log.a2": "0", "auditd.log.a3": "0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 27, "auditd.log.ses": "4294967295", @@ -616,12 +645,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 6035, "process.executable": "/usr/bin/kmod", + "process.exit_code": 0, "process.name": "modprobe", "process.pid": 423, "process.ppid": 422, @@ -641,14 +672,15 @@ "auditd.log.sequence": 28, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "systemd-logind", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 6353, - "message": "unit=systemd-logind", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -661,14 +693,15 @@ "auditd.log.sequence": 29, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "crond", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 6591, - "message": "unit=crond", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -681,14 +714,15 @@ "auditd.log.sequence": 30, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "expand-root", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 6820, - "message": "unit=expand-root", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -701,14 +735,15 @@ "auditd.log.sequence": 31, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "expand-root", "event.action": "service_stop", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 7055, - "message": "unit=expand-root", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -724,6 +759,7 @@ "auditd.log.table": "raw", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -736,7 +772,6 @@ "auditd.log.a1": "41a15c", "auditd.log.a2": "0", "auditd.log.a3": "0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 32, "auditd.log.ses": "4294967295", @@ -746,12 +781,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 7368, "process.executable": "/usr/bin/kmod", + "process.exit_code": 0, "process.name": "modprobe", "process.pid": 440, "process.ppid": 439, @@ -771,14 +808,15 @@ "auditd.log.sequence": 33, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "sshd-keygen", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 7686, - "message": "unit=sshd-keygen", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -794,6 +832,7 @@ "auditd.log.table": "security", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -806,7 +845,6 @@ "auditd.log.a1": "41a15c", "auditd.log.a2": "0", "auditd.log.a3": "0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 34, "auditd.log.ses": "4294967295", @@ -816,12 +854,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 8005, "process.executable": "/usr/bin/kmod", + "process.exit_code": 0, "process.name": "modprobe", "process.pid": 446, "process.ppid": 445, @@ -844,6 +884,7 @@ "auditd.log.table": "mangle", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -856,7 +897,6 @@ "auditd.log.a1": "41a15c", "auditd.log.a2": "0", "auditd.log.a3": "0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 35, "auditd.log.ses": "4294967295", @@ -866,12 +906,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 8405, "process.executable": "/usr/bin/kmod", + "process.exit_code": 0, "process.name": "modprobe", "process.pid": 450, "process.ppid": 449, @@ -891,14 +933,15 @@ "auditd.log.sequence": 36, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "plymouth-quit", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 8723, - "message": "unit=plymouth-quit", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -911,14 +954,15 @@ "auditd.log.sequence": 37, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "plymouth-quit", "event.action": "service_stop", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 8960, - "message": "unit=plymouth-quit", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -931,14 +975,15 @@ "auditd.log.sequence": 38, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "plymouth-start", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 9196, - "message": "unit=plymouth-start", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -951,14 +996,15 @@ "auditd.log.sequence": 39, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "plymouth-start", "event.action": "service_stop", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 9434, - "message": "unit=plymouth-start", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -971,14 +1017,15 @@ "auditd.log.sequence": 40, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "plymouth-quit-wait", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 9671, - "message": "unit=plymouth-quit-wait", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -991,14 +1038,15 @@ "auditd.log.sequence": 41, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "plymouth-quit-wait", "event.action": "service_stop", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 9913, - "message": "unit=plymouth-quit-wait", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -1011,14 +1059,15 @@ "auditd.log.sequence": 42, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "serial-getty@ttyS0", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 10154, - "message": "unit=serial-getty@ttyS0", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -1031,14 +1080,15 @@ "auditd.log.sequence": 43, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "getty@tty1", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 10396, - "message": "unit=getty@tty1", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -1054,6 +1104,7 @@ "auditd.log.table": "nat", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1066,7 +1117,6 @@ "auditd.log.a1": "41a15c", "auditd.log.a2": "0", "auditd.log.a3": "1", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 44, "auditd.log.ses": "4294967295", @@ -1076,12 +1126,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 10709, "process.executable": "/usr/bin/kmod", + "process.exit_code": 0, "process.name": "modprobe", "process.pid": 453, "process.ppid": 452, @@ -1101,14 +1153,15 @@ "auditd.log.sequence": 45, "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", + "auditd.log.unit": "firewalld", "event.action": "service_start", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 11027, - "message": "unit=firewalld", "process.executable": "/usr/lib/systemd/systemd", "process.name": "systemd", "process.pid": 1, @@ -1124,6 +1177,7 @@ "auditd.log.table": "nat", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1136,7 +1190,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "25be720", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 46, "auditd.log.ses": "4294967295", @@ -1146,12 +1199,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 11338, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 476, "process.ppid": 296, @@ -1174,6 +1229,7 @@ "auditd.log.table": "nat", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1186,7 +1242,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "1819720", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 47, "auditd.log.ses": "4294967295", @@ -1196,12 +1251,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 11747, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 478, "process.ppid": 296, @@ -1224,6 +1281,7 @@ "auditd.log.table": "mangle", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1236,7 +1294,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "13d0850", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 48, "auditd.log.ses": "4294967295", @@ -1246,12 +1303,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 12159, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 479, "process.ppid": 296, @@ -1274,6 +1333,7 @@ "auditd.log.table": "mangle", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1286,7 +1346,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "1125850", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 49, "auditd.log.ses": "4294967295", @@ -1296,12 +1355,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 12571, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 481, "process.ppid": 296, @@ -1324,6 +1385,7 @@ "auditd.log.table": "security", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1336,7 +1398,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "20a3600", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 50, "auditd.log.ses": "4294967295", @@ -1346,12 +1407,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 12985, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 482, "process.ppid": 296, @@ -1374,6 +1437,7 @@ "auditd.log.table": "security", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1386,7 +1450,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "9f0600", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 51, "auditd.log.ses": "4294967295", @@ -1396,12 +1459,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 13399, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 484, "process.ppid": 296, @@ -1424,6 +1489,7 @@ "auditd.log.table": "raw", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1436,7 +1502,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "232e4d0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 52, "auditd.log.ses": "4294967295", @@ -1446,12 +1511,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 13807, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 485, "process.ppid": 296, @@ -1474,6 +1541,7 @@ "auditd.log.table": "raw", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1486,7 +1554,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "14404d0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 53, "auditd.log.ses": "4294967295", @@ -1496,12 +1563,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 14216, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 487, "process.ppid": 296, @@ -1524,6 +1593,7 @@ "auditd.log.table": "filter", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1536,7 +1606,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "c31600", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 54, "auditd.log.ses": "4294967295", @@ -1546,12 +1615,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 14628, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 488, "process.ppid": 296, @@ -1574,6 +1645,7 @@ "auditd.log.table": "filter", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1586,7 +1658,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "143a600", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 55, "auditd.log.ses": "4294967295", @@ -1596,12 +1667,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 15039, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 490, "process.ppid": 296, @@ -1624,6 +1697,7 @@ "auditd.log.table": "nat", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1636,7 +1710,6 @@ "auditd.log.a1": "29", "auditd.log.a2": "40", "auditd.log.a3": "109b880", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 56, "auditd.log.ses": "4294967295", @@ -1646,12 +1719,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 15449, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "ip6tables", "process.pid": 491, "process.ppid": 296, @@ -1674,6 +1749,7 @@ "auditd.log.table": "nat", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1686,7 +1762,6 @@ "auditd.log.a1": "29", "auditd.log.a2": "40", "auditd.log.a3": "b53880", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 57, "auditd.log.ses": "4294967295", @@ -1696,12 +1771,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 15861, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "ip6tables", "process.pid": 493, "process.ppid": 296, @@ -1724,6 +1801,7 @@ "auditd.log.table": "mangle", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1736,7 +1814,6 @@ "auditd.log.a1": "29", "auditd.log.a2": "40", "auditd.log.a3": "17b09e0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 58, "auditd.log.ses": "4294967295", @@ -1746,12 +1823,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 16275, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "ip6tables", "process.pid": 494, "process.ppid": 296, @@ -1774,6 +1853,7 @@ "auditd.log.table": "mangle", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1786,7 +1866,6 @@ "auditd.log.a1": "29", "auditd.log.a2": "40", "auditd.log.a3": "25cc9e0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 59, "auditd.log.ses": "4294967295", @@ -1796,12 +1875,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 16690, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "ip6tables", "process.pid": 496, "process.ppid": 296, @@ -1824,6 +1905,7 @@ "auditd.log.table": "security", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1836,7 +1918,6 @@ "auditd.log.a1": "29", "auditd.log.a2": "40", "auditd.log.a3": "14db720", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 60, "auditd.log.ses": "4294967295", @@ -1846,12 +1927,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 17107, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "ip6tables", "process.pid": 497, "process.ppid": 296, @@ -1874,6 +1957,7 @@ "auditd.log.table": "security", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1886,7 +1970,6 @@ "auditd.log.a1": "29", "auditd.log.a2": "40", "auditd.log.a3": "9d2720", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 61, "auditd.log.ses": "4294967295", @@ -1896,12 +1979,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 17524, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "ip6tables", "process.pid": 499, "process.ppid": 296, @@ -1924,6 +2009,7 @@ "auditd.log.table": "raw", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1936,7 +2022,6 @@ "auditd.log.a1": "29", "auditd.log.a2": "40", "auditd.log.a3": "fae5c0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 62, "auditd.log.ses": "4294967295", @@ -1946,12 +2031,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 17935, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "ip6tables", "process.pid": 500, "process.ppid": 296, @@ -1974,6 +2061,7 @@ "auditd.log.table": "raw", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -1986,7 +2074,6 @@ "auditd.log.a1": "29", "auditd.log.a2": "40", "auditd.log.a3": "19545c0", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 63, "auditd.log.ses": "4294967295", @@ -1996,12 +2083,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 18346, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "ip6tables", "process.pid": 502, "process.ppid": 296, @@ -2024,6 +2113,7 @@ "auditd.log.table": "filter", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -2036,7 +2126,6 @@ "auditd.log.a1": "29", "auditd.log.a2": "40", "auditd.log.a3": "23a3720", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 64, "auditd.log.ses": "4294967295", @@ -2046,12 +2135,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 18761, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "ip6tables", "process.pid": 503, "process.ppid": 296, @@ -2074,6 +2165,7 @@ "auditd.log.table": "filter", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -2086,7 +2178,6 @@ "auditd.log.a1": "29", "auditd.log.a2": "40", "auditd.log.a3": "162d720", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 65, "auditd.log.ses": "4294967295", @@ -2096,12 +2187,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 19176, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "ip6tables", "process.pid": 505, "process.ppid": 296, @@ -2124,6 +2217,7 @@ "auditd.log.table": "mangle", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -2136,7 +2230,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "14b0850", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 66, "auditd.log.ses": "4294967295", @@ -2146,12 +2239,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 19590, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 506, "process.ppid": 296, @@ -2174,6 +2269,7 @@ "auditd.log.table": "mangle", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -2186,7 +2282,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "2398850", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 67, "auditd.log.ses": "4294967295", @@ -2196,12 +2291,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 20002, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 507, "process.ppid": 296, @@ -2224,6 +2321,7 @@ "auditd.log.table": "mangle", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -2236,7 +2334,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "2679850", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 68, "auditd.log.ses": "4294967295", @@ -2246,12 +2343,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 20414, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 508, "process.ppid": 296, @@ -2274,6 +2373,7 @@ "auditd.log.table": "mangle", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -2286,7 +2386,6 @@ "auditd.log.a1": "0", "auditd.log.a2": "40", "auditd.log.a3": "1715850", - "auditd.log.exit": "0", "auditd.log.items": "0", "auditd.log.sequence": 69, "auditd.log.ses": "4294967295", @@ -2296,12 +2395,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 20826, "process.executable": "/usr/sbin/xtables-multi", + "process.exit_code": 0, "process.name": "iptables", "process.pid": 509, "process.ppid": 296, @@ -2324,6 +2425,7 @@ "auditd.log.table": "mangle", "event.action": "netfilter_cfg", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", diff --git a/filebeat/module/auditd/log/test/test.log b/filebeat/module/auditd/log/test/test.log index e937c217ae6..b7b59daa120 100644 --- a/filebeat/module/auditd/log/test/test.log +++ b/filebeat/module/auditd/log/test/test.log @@ -5,3 +5,11 @@ type=CRYPTO_SESSION msg=audit(1481077041.515:406): pid=1298 uid=0 auid=429496729 type=TTY msg=audit(1491924063.550:1065565): tty pid=27930 uid=1000 auid=1000 ses=762 major=136 minor=0 comm="bash" data=65687F7F6563686F20746573740D76696D202F6574632F70616D2E642F70617373776F72642D617574682D61630D6D616E2070616D5F7474795F61756469740D6D616E2070616D2E640D76696D202F657463017375646F20052F70616D642E73797F7F7F7F7F2E7F6D2E642F7379092D6109617F2D61090D6D616E2070616D0D747F67726570207379737F7F7F2F7661722F6C6F09672F6D65097309207C20677265702070616D5F7474790D677265702070616D5F747479202F7661722F6C6F672F6D6573090D1B5B41017375646F200D7375646F2073750D type=PROCTITLE msg=audit(1451781471.394:194438): proctitle="bash" type=PROCTITLE msg=audit(1451781471.394:194440): proctitle=737368643A206275726E205B707269765D +type=SOFTWARE_UPDATE msg=audit(1573844484.309:785): pid=3157 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='sw="gcc-4.8.5-39.el7.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="yum" exe="/usr/bin/python2.7" hostname=? addr=? terminal=? res=success' +type=SYSTEM_BOOT msg=audit(1573844456.144:5): pid=678 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success' +type=SYSTEM_SHUTDOWN msg=audit(1573844517.054:1163): pid=4440 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success' +type=EXECVE msg=audit(1581371984.206:579393): argc=1 a0=top +type=SYSCALL msg=audit(1581371984.206:579398): arch=x86_64 syscall=execve success=yes exit=0 a0=0x1fd05c0 a1=0x1fd2730 a2=0x1fd4640 a3=0x7ffc6939f360 items=2 ppid=2563 pid=2614 auid=vagrant uid=vagrant gid=vagrant euid=vagrant suid=vagrant fsuid=vagrant egid=vagrant sgid=vagrant fsgid=vagrant tty=pts0 ses=2 comm=top exe=/usr/bin/top subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) +type=KERN_MODULE msg=audit(1581371984.206:579397): name=mymodule +type=VIRT_CONTROL msg=audit(1513507481.075:145): pid=1431 uid=0 auid=100 ses=3 subj=system_u:system_r:container_runtime_t:s0 msg='user=root reason=api op=create vm=? vm-pid=? hostname=? exe="/usr/bin/dockerd-current" addr=? terminal=? res=success' +type=VIRT_MACHINE_ID msg=audit(1481903143.572:23118): pid=5637 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm vm="rhel-work3" uuid=5501263b-181d-47ed-ab03-a6066f3d26bf vm-ctx=system_u:system_r:svirt_t:s0:c444,c977 img-ctx=system_u:object_r:svirt_image_t:s0:c444,c977 model=selinux exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=success' diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 986bdd0bd97..2306d330fa5 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -9,6 +9,7 @@ "destination.address": "192.168.0.0", "event.action": "mac_ipsec_event", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "1", "fileset.name": "log", @@ -25,7 +26,6 @@ "auditd.log.a1": "7f564b2672a0", "auditd.log.a2": "b8", "auditd.log.a3": "0", - "auditd.log.exit": "184", "auditd.log.items": "0", "auditd.log.sequence": 18877199, "auditd.log.ses": "4294967295", @@ -34,12 +34,14 @@ "auditd.log.tty": "(none)", "event.action": "syscall", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", "log.offset": 174, "process.executable": "/usr/libexec/strongswan/charon (deleted)", + "process.exit_code": 184, "process.name": "charon", "process.pid": 1281, "process.ppid": 1240, @@ -60,18 +62,20 @@ "auditd.log.ses": "11988", "event.action": "user_cmd", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 536, - "message": "cwd=\"/", "process.args": [ "/usr/lib64/nagios/plugins/check_asterisk_sip_peers", "-p", "202" ], + "process.args_count": 3, "process.pid": 4151, + "process.working_directory": "/", "service.type": "auditd", "user.audit.id": "700", "user.id": "497" @@ -84,6 +88,7 @@ "auditd.log.ksize": "512", "auditd.log.laddr": "10.142.0.2", "auditd.log.lport": "22", + "auditd.log.op": "start", "auditd.log.pfs": "curve25519-sha256@libssh.org", "auditd.log.rport": "63927", "auditd.log.sequence": 406, @@ -92,12 +97,12 @@ "auditd.log.subj": "system_u:system_r:sshd_t:s0-s0:c0.c1023", "event.action": "crypto_session", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "event.outcome": "success", "fileset.name": "log", "input.type": "log", "log.offset": 783, - "message": "op=start", "process.executable": "/usr/sbin/sshd", "process.pid": 1298, "service.type": "auditd", @@ -114,6 +119,7 @@ "auditd.log.ses": "762", "event.action": "tty", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -130,6 +136,7 @@ "auditd.log.sequence": 194438, "event.action": "proctitle", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", @@ -142,10 +149,200 @@ "auditd.log.sequence": 194440, "event.action": "proctitle", "event.dataset": "auditd.log", + "event.kind": "event", "event.module": "auditd", "fileset.name": "log", "input.type": "log", "log.offset": 1799, "service.type": "auditd" + }, + { + "@timestamp": "2019-11-15T19:01:24.309Z", + "auditd.log.gpg_res": "1", + "auditd.log.key_enforce": "0", + "auditd.log.root_dir": "/", + "auditd.log.sequence": 785, + "auditd.log.ses": "3", + "auditd.log.subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", + "auditd.log.sw": "gcc-4.8.5-39.el7.x86_64", + "auditd.log.sw_type": "rpm", + "event.action": "software_update", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "event.type": "package", + "fileset.name": "log", + "input.type": "log", + "log.offset": 1893, + "process.executable": "/usr/bin/python2.7", + "process.name": "yum", + "process.pid": 3157, + "service.type": "auditd", + "user.audit.id": "1000", + "user.id": "0" + }, + { + "@timestamp": "2019-11-15T19:00:56.144Z", + "auditd.log.sequence": 5, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "event.action": "system_boot", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "event.type": "host", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2196, + "message": "", + "process.executable": "/usr/lib/systemd/systemd-update-utmp", + "process.name": "systemd-update-utmp", + "process.pid": 678, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2019-11-15T19:01:57.054Z", + "auditd.log.sequence": 1163, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:init_t:s0", + "event.action": "system_shutdown", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "event.type": "host", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2438, + "message": "", + "process.executable": "/usr/lib/systemd/systemd-update-utmp", + "process.name": "systemd-update-utmp", + "process.pid": 4440, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" + }, + { + "@timestamp": "2020-02-10T21:59:44.206Z", + "auditd.log.a0": "top", + "auditd.log.argc": "1", + "auditd.log.sequence": 579393, + "event.action": "execve", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "fileset.name": "log", + "input.type": "log", + "log.offset": 2688, + "service.type": "auditd" + }, + { + "@timestamp": "2020-02-10T21:59:44.206Z", + "auditd.log.a0": "0x1fd05c0", + "auditd.log.a1": "0x1fd2730", + "auditd.log.a2": "0x1fd4640", + "auditd.log.a3": "0x7ffc6939f360", + "auditd.log.items": "2", + "auditd.log.sequence": 579398, + "auditd.log.ses": "2", + "auditd.log.subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", + "auditd.log.success": "yes", + "auditd.log.syscall": "execve", + "auditd.log.tty": "pts0", + "event.action": "syscall", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.type": "process", + "fileset.name": "log", + "host.architecture": "x86_64", + "input.type": "log", + "log.offset": 2748, + "process.executable": "/usr/bin/top", + "process.exit_code": 0, + "process.name": "top", + "process.pid": 2614, + "process.ppid": 2563, + "service.type": "auditd", + "user.audit.id": "vagrant", + "user.effective.group.id": "vagrant", + "user.effective.id": "vagrant", + "user.filesystem.group.id": "vagrant", + "user.filesystem.id": "vagrant", + "user.group.id": "vagrant", + "user.id": "vagrant", + "user.saved.group.id": "vagrant", + "user.saved.id": "vagrant" + }, + { + "@timestamp": "2020-02-10T21:59:44.206Z", + "auditd.log.name": "mymodule", + "auditd.log.sequence": 579397, + "event.action": "kern_module", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.type": "driver", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3153, + "service.type": "auditd" + }, + { + "@timestamp": "2017-12-17T10:44:41.075Z", + "auditd.log.op": "create", + "auditd.log.reason": "api", + "auditd.log.sequence": 145, + "auditd.log.ses": "3", + "auditd.log.subj": "system_u:system_r:container_runtime_t:s0", + "auditd.log.user": "root", + "event.action": "virt_control", + "event.category": "host", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "event.type": "creation", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3218, + "process.executable": "/usr/bin/dockerd-current", + "process.pid": 1431, + "service.type": "auditd", + "user.audit.id": "100", + "user.id": "0" + }, + { + "@timestamp": "2016-12-16T15:45:43.572Z", + "auditd.log.img-ctx": "system_u:object_r:svirt_image_t:s0:c444,c977", + "auditd.log.model": "selinux", + "auditd.log.sequence": 23118, + "auditd.log.ses": "4294967295", + "auditd.log.subj": "system_u:system_r:virtd_t:s0-s0:c0.c1023", + "auditd.log.uuid": "5501263b-181d-47ed-ab03-a6066f3d26bf", + "auditd.log.virt": "kvm", + "auditd.log.vm": "rhel-work3", + "auditd.log.vm-ctx": "system_u:system_r:svirt_t:s0:c444,c977", + "container.name": "rhel-work3", + "container.runtime": "kvm", + "event.action": "virt_machine_id", + "event.category": "host", + "event.dataset": "auditd.log", + "event.kind": "event", + "event.module": "auditd", + "event.outcome": "success", + "event.type": "creation", + "fileset.name": "log", + "input.type": "log", + "log.offset": 3466, + "process.executable": "/usr/sbin/libvirtd", + "process.pid": 5637, + "service.type": "auditd", + "user.audit.id": "4294967295", + "user.id": "0" } ] \ No newline at end of file