<span class="pill kill-chain">msg</span>
<span class="pill kill-chain">type</span>
<span class="pill kill-chain">pid</span>
<span class="pill kill-chain">uid</span>
<span class="pill kill-chain">auid</span>
<span class="pill kill-chain">ses</span>
<span class="pill kill-chain">subj</span>
<span class="pill kill-chain">msg</span>
<span class="pill kill-chain">comm</span>
<span class="pill kill-chain">exe</span>
<span class="pill kill-chain">hostname</span>
<span class="pill kill-chain">addr</span>
<span class="pill kill-chain">terminal</span>
<span class="pill kill-chain">res</span>
<span class="pill kill-chain">UID</span>
<span class="pill kill-chain">AUID</span>
</div>
Data Source: Linux Auditd Service Stop
Description
Logs events related to the stoppage of a service on a Linux system, including details about the service name, the process initiating the stop, and associated timestamps.
Details
| Property | Value |
|---|---|
| Source | auditd |
| Sourcetype | auditd |
| Separator | type |
Related Detections
| Name | Technique | Type |
|---|---|---|
| Linux Auditd Auditd Service Stop | Service Stop | Anomaly |
| Linux Auditd Disable Or Modify System Firewall | Disable or Modify System Firewall | Anomaly |
| Linux Auditd Osquery Service Stop | Service Stop | Anomaly |
| Linux Auditd Stop Services | Service Stop | Hunting |
| Linux Auditd Sysmon Service Stop | Service Stop | Anomaly |
Supported Apps
- Splunk Add-on for Unix and Linux (version 10.2.0)
Event Fields
Fields
Example Log
1type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg='unit=atd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
Source: GitHub | Version: 2