<span class="pill kill-chain">msg</span>
<span class="pill kill-chain">type</span>
<span class="pill kill-chain">item</span>
<span class="pill kill-chain">name</span>
<span class="pill kill-chain">inode</span>
<span class="pill kill-chain">dev</span>
<span class="pill kill-chain">mode</span>
<span class="pill kill-chain">ouid</span>
<span class="pill kill-chain">ogid</span>
<span class="pill kill-chain">rdev</span>
<span class="pill kill-chain">nametype</span>
<span class="pill kill-chain">cap_fp</span>
<span class="pill kill-chain">cap_fi</span>
<span class="pill kill-chain">cap_fe</span>
<span class="pill kill-chain">cap_fver</span>
<span class="pill kill-chain">cap_frootid</span>
<span class="pill kill-chain">OUID</span>
<span class="pill kill-chain">OGID</span>
</div>
Data Source: Linux Auditd Path
Description
Logs file system access events on a Linux system, including details about file paths, permissions, and associated processes.
Details
| Property | Value |
|---|---|
| Source | auditd |
| Sourcetype | auditd |
| Separator | type |
Related Detections
Supported Apps
- Splunk Add-on for Unix and Linux (version 10.2.0)
Event Fields
Fields
Example Log
1type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~" inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"
Source: GitHub | Version: 2