Data Source: Linux Auditd Syscall

Date: 2024-08-08

ID: 4dff7047-0d43-4096-bb3f-b756c889bbad

Author: Teoderick Contreras, Splunk

Description

Data source object for Linux Auditd Syscall Type

Details

Property	Value
Source	`/var/log/audit/audit.log`
Sourcetype	`linux:audit`

Supported Apps

Splunk Add-on for Unix and Linux (version 9.2.0)

Event Fields

+ Fields

  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">type</span>
  
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">arch</span>
  
  <span class="pill kill-chain">syscall</span>
  
  <span class="pill kill-chain">success</span>
  
  <span class="pill kill-chain">exit</span>
  
  <span class="pill kill-chain">a1</span>
  
  <span class="pill kill-chain">a2</span>
  
  <span class="pill kill-chain">a3</span>
  
  <span class="pill kill-chain">items</span>
  
  <span class="pill kill-chain">ppid</span>
  
  <span class="pill kill-chain">pid</span>
  
  <span class="pill kill-chain">auid</span>
  
  <span class="pill kill-chain">uid</span>
  
  <span class="pill kill-chain">gid</span>
  
  <span class="pill kill-chain">euid</span>
  
  <span class="pill kill-chain">suid</span>
  
  <span class="pill kill-chain">fsuid</span>
  
  <span class="pill kill-chain">egid</span>
  
  <span class="pill kill-chain">sgid</span>
  
  <span class="pill kill-chain">fsgid</span>
  
  <span class="pill kill-chain">tty</span>
  
  <span class="pill kill-chain">ses</span>
  
  <span class="pill kill-chain">comm</span>
  
  <span class="pill kill-chain">exe</span>
  
  <span class="pill kill-chain">subj</span>
  
  <span class="pill kill-chain">key</span>
  
  <span class="pill kill-chain">ARCH</span>
  
  <span class="pill kill-chain">SYSCALL</span>
  
  <span class="pill kill-chain">AUID</span>
  
  <span class="pill kill-chain">UID</span>
  
  <span class="pill kill-chain">GID</span>
  
  <span class="pill kill-chain">EUID</span>
  
  <span class="pill kill-chain">SUID</span>
  
  <span class="pill kill-chain">FSUID</span>
  
  <span class="pill kill-chain">EGID</span>
  
  <span class="pill kill-chain">SGID</span>
  
  <span class="pill kill-chain">FSGID</span>
  
</div>

Example Log

1type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64 SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

Source: GitHub | Version: 1