Data Source: Linux Auditd Cwd

Date: 2025-12-02

ID: a9ef851b-d864-478b-b1b3-76535d7ff7fc

Author: Nasreddine Bencherchali, Splunk

Description

This type is used to record the working directory from which the process that invoked the system call specified in the first record was executed. The purpose of this record is to record the current process's location in case a relative path winds up being captured in the associated PATH record. This way the absolute path can be reconstructed.

Details

Property	Value
Source	`auditd`
Sourcetype	`auditd`
Separator	type

Supported Apps

Splunk Add-on for Unix and Linux (version 10.2.0)

Event Fields

+ Fields

  <span class="pill kill-chain">cwd</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">type</span>
  
</div>

Example Log

1type=CWD msg=audit(11/20/2025 16:57:48.909:110027) : cwd=/etc/ssh

Source: GitHub | Version: 1