-
Notifications
You must be signed in to change notification settings - Fork 419
/
Copy pathauditbeat.yml
147 lines (134 loc) · 3.28 KB
/
auditbeat.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
title: Auditbeat
name: auditbeat
description:
ECS usage in Auditbeat.
fields:
- name: event
fields:
- name: module
description: >
Auditbeat module name.
- name: file
title: File
description: >
File attributes.
fields:
- name: path
type: text
description: The path to the file.
multi_fields:
- name: raw
type: keyword
description: >
The path to the file. This is a non-analyzed field that is useful
for aggregations.
- name: target_path
type: keyword
description: The target path for symlinks.
- name: type
type: keyword
description: The file type (file, dir, or symlink).
- name: device
type: keyword
description: The device.
- name: inode
type: keyword
description: The inode representing the file in the filesystem.
- name: uid
type: keyword
description: >
The user ID (UID) or security identifier (SID) of the file owner.
- name: owner
type: keyword
description: The file owner's username.
- name: gid
type: keyword
description: The primary group ID (GID) of the file.
- name: group
type: keyword
description: The primary group name of the file.
- name: mode
type: keyword
example: 0640
description: The mode of the file in octal representation.
- name: size
type: long
description: The file size in bytes (field is only added when `type` is `file`).
- name: mtime
type: date
description: The last modified time of the file (time when content was modified).
- name: ctime
type: date
description: The last change time of the file (time when metadata was changed).
# TODO (@ruflin 2018-05-01): These fields are not in ECS. Needs decision or removal.
#
#- name: hash
# group: 3
# description: >
# Hash fields used in Auditbeat.
#
# The hash field contains cryptographic hashes of data associated with the event
# (such as a file). The keys are names of cryptographic algorithms. The values
# are encoded as hexidecimal (lower-case).
#
# All fields in user can have one or multiple entries.
# fields:
# - name: md5
# type: keyword
# description: >
# MD5 hash.
#
# - name: sha1
# type: keyword
# description: >
# SHA-1 hash.
#
# - name: sha224
# type: keyword
# description: >
# SHA-224 hash (SHA-2 family).
#
# - name: sha256
# type: keyword
# description: >
# SHA-256 hash (SHA-2 family).
#
# - name: sha384
# type: keyword
# description: >
# SHA-384 hash (SHA-2 family).
#
# - name: sha512
# type: keyword
# description: >
# SHA-512 hash (SHA-2 family).
#
# - name: sha512_224
# type: keyword
# description: >
# SHA-512/224 hash (SHA-2 family).
#
# - name: sha512_256
# type: keyword
# description: >
# SHA-512/256 hash (SHA-2 family).
#
# - name: sha3_224
# type: keyword
# description: >
# SHA3-224 hash (SHA-3 family).
#
# - name: sha3_256
# type: keyword
# description: >
# SHA3-256 hash (SHA-3 family).
#
# - name: sha3_384
# type: keyword
# description: >
# SHA3-384 hash (SHA-3 family).
#
# - name: sha3_512
# type: keyword
# description: >
# SHA3-512 hash (SHA-3 family).