box.audit.unix

[ 1 Introduction ] [ 2 Source tables ] [ 3 Table structure ] [ 4 Field transformations ]

Introduction

This table collects information about different events generated by UNIX.

Source tables

The information displayed is extracted from the following tables:

box.audit.unix.audispd
box.audit.unix.auditd
box.unix

Table structure

This is the set of columns displayed by this union table, which is the result of the collection of columns present in all source tables:

Extra fields

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
source	`str`
machine	`str`
node	`str`
type	`str`
audit_timestamp	`str`
audit_id	`str`
pid	`str`
uid	`str`
gid	`str`
auid	`str`
ses	`str`
old_auid	`str`
old_ses	`str`
op	`str`
opType	`str`
acct	`str`
id	`str`
exe	`str`
hostname	`str`
addr	`str`
terminal	`str`
res	`str`
comm	`str`
reason	`str`
sig	`str`
dev	`str`
prom	`str`
old_prom	`str`
fver	`str`
fp	`str`
fi	`str`
fe	`str`
old_pp	`str`
old_pi	`str`
old_pe	`str`
old_pa	`str`
pp	`str`
pi	`str`
pe	`str`
pa	`str`
grantors	`str`
kind	`str`
direction	`str`
spid	`str`
suid	`str`
cipher	`str`
ksize	`str`
mac	`str`
pfs	`str`
rport	`str`
laddr	`str`
lport	`str`
cwd	`str`
argc	`str`
a0	`str`
a1	`str`
a2	`str`
a3	`str`
tty	`str`
table	`str`
family	`str`
entries	`str`
item	`str`
name	`str`
inode	`str`
mode	`str`
ouid	`str`
ogid	`str`
rdev	`str`
objtype	`str`
cap_fp	`str`
cap_fi	`str`
cap_fe	`str`
cap_fver	`str`
proctitle	`str`
arch	`str`
syscall	`str`
compat	`str`
ip	`str`
code	`str`
unit	`str`
saddr	`str`
sw	`str`
sw_type	`str`
key_enforce	`str`
gpg_res	`str`
root_dir	`str`
success	`str`
exit	`str`
items	`str`
ppid	`str`
euid	`str`
fsuid	`str`
egid	`str`
sgid	`str`
fsgid	`str`
key	`str`
new_level	`str`
old_level	`str`
cmd	`str`
user	`str`
ctr_id_short	`str`
vm_pid	`str`
vm	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Field transformations

Even though all source tables have several features in common, they have some particularities that make it necessary to undergo a set of transformations to harmonize them for the union table. The most common transformations comprise changes in the data type or the application of rules when several columns in the source table feed a single column in the union table. You can find below the detailed list of transformations in each source table.

box.audit.unix.audispd
box.audit.unix.auditd
box.unix

box.audit.unix.audispd

Field in union table	Field in source table	Field transformation	Data type	Extra fields

Field in union table	Field in source table	Field transformation	Data type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`"audispd"`	`str`
machine	machine		`str`
node	node		`str`
type	type		`str`
audit_timestamp	audit_timestamp		`str`
audit_id	audit_id		`str`
pid	pid		`str`
uid	uid		`str`
gid	gid		`str`
auid	auid		`str`
ses	ses		`str`
old_auid	old_auid		`str`
old_ses	old_ses		`str`
op	op		`str`
opType	opType		`str`
acct	acct		`str`
id	id		`str`
exe	exe		`str`
hostname	hostname		`str`
addr	addr		`str`
terminal	terminal		`str`
res	res		`str`
comm	comm		`str`
reason	reason		`str`
sig	sig		`str`
dev	dev		`str`
prom	prom		`str`
old_prom	old_prom		`str`
fver	fver		`str`
fp	fp		`str`
fi	fi		`str`
fe	fe		`str`
old_pp	old_pp		`str`
old_pi	old_pi		`str`
old_pe	old_pe		`str`
old_pa	old_pa		`str`
pp	pp		`str`
pi	pi		`str`
pe	pe		`str`
pa	pa		`str`
grantors	grantors		`str`
kind	kind		`str`
direction	direction		`str`
spid	spid		`str`
suid	suid		`str`
cipher	cipher		`str`
ksize	ksize		`str`
mac	mac		`str`
pfs	pfs		`str`
rport	rport		`str`
laddr	laddr		`str`
lport	lport		`str`
cwd	cwd		`str`
argc	argc		`str`
a0	a0		`str`
a1	a1		`str`
a2	a2		`str`
a3	a3		`str`
tty	tty		`str`
table	table		`str`
family	family		`str`
entries	entries		`str`
item	item		`str`
name	name		`str`
inode	inode		`str`
mode	mode		`str`
ouid	ouid		`str`
ogid	ogid		`str`
rdev	rdev		`str`
objtype	objtype		`str`
cap_fp	cap_fp		`str`
cap_fi	cap_fi		`str`
cap_fe	cap_fe		`str`
cap_fver	cap_fver		`str`
proctitle	proctitle		`str`
arch	arch		`str`
syscall	syscall		`str`
compat	compat		`str`
ip	ip		`str`
code	code		`str`
unit	unit		`str`
saddr	saddr		`str`
sw	sw		`str`
sw_type	sw_type		`str`
key_enforce	key_enforce		`str`
gpg_res	gpg_res		`str`
root_dir	root_dir		`str`
success	success		`str`
exit	exit		`str`
items	items		`str`
ppid	ppid		`str`
euid	euid		`str`
fsuid	fsuid		`str`
egid	egid		`str`
sgid	sgid		`str`
fsgid	fsgid		`str`
key	key		`str`
new_level	new_level		`str`
old_level	old_level		`str`
cmd	cmd		`str`
user	user		`str`
ctr_id_short	ctr_id_short		`str`
vm_pid	vm_pid		`str`
vm	vm		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓
rawMessage	rawMessage		`str`	✓

box.audit.unix.auditd

Field in union table	Field in source table	Field transformation	Type	Extra fields

Field in union table	Field in source table	Field transformation	Type	Extra fields
eventdate	eventdate		`timestamp`
source	-	`'auditd'`	`str`
machine	machine		`str`
node	-	`null('')`	`str`
type	type		`str`
audit_timestamp	audit_timestamp		`str`
audit_id	audit_id		`str`
pid	pid		`str`
uid	uid uid_2		`str`
gid	gid		`str`
auid	auid_2 auid		`str`
ses	ses		`str`
old_auid	old_auid		`str`
old_ses	old_ses		`str`
op	op		`str`
opType	opType		`str`
acct	acct		`str`
id	id		`str`
exe	exe		`str`
hostname	msg_hostname		`str`
addr	msg_addr		`str`
terminal	terminal		`str`
res	res msg_res		`str`
comm	comm		`str`
reason	reason		`str`
sig	sig		`str`
dev	dev		`str`
prom	prom		`str`
old_prom	old_prom		`str`
fver	-		`str`
fp	fp		`str`
fi	-		`str`
fe	-		`str`
old_pp	-		`str`
old_pi	-		`str`
old_pe	-		`str`
old_pa	-		`str`
pp	-		`str`
pi	-		`str`
pe	-		`str`
pa	-		`str`
grantors	grantors		`str`
kind	kind		`str`
direction	direction		`str`
spid	spid		`str`
suid	suid		`str`
cipher	cipher		`str`
ksize	ksize		`str`
mac	mac		`str`
pfs	pfs		`str`
rport	rport		`str`
laddr	laddr		`str`
lport	lport		`str`
cwd	cwd		`str`
argc	-		`str`
a0	a0		`str`
a1	a1		`str`
a2	a2		`str`
a3	a3		`str`
tty	tty		`str`
table	table		`str`
family	family		`str`
entries	entries		`str`
item	item		`str`
name	name		`str`
inode	inode		`str`
mode	mode		`str`
ouid	ouid		`str`
ogid	ogid		`str`
rdev	rdev		`str`
objtype	objtype		`str`
cap_fp	cap_fp		`str`
cap_fi	cap_fi		`str`
cap_fe	cap_fe		`str`
cap_fver	cap_fver		`str`
proctitle	proctitle		`str`
arch	arch		`str`
syscall	syscall		`str`
compat	-		`str`
ip	-		`str`
code	-		`str`
unit	unit		`str`
saddr	-		`str`
sw	sw		`str`
sw_type	sw_type		`str`
key_enforce	key_enforce		`str`
gpg_res	gpg_res		`str`
root_dir	root_dir		`str`
success	success		`str`
exit	exit		`str`
items	items		`str`
ppid	ppid		`str`
euid	euid		`str`
fsuid	fsuid		`str`
egid	egid		`str`
sgid	sgid		`str`
fsgid	fsgid		`str`
key	key		`str`
new_level	new_level		`str`
old_level	old_level		`str`
cmd	-		`str`
user	-		`str`
ctr_id_short	-		`str`
vm_pid	-		`str`
vm	-		`str`
hostchain	hostchain		`str`	✓
tag	tag		`str`	✓
rawMessage	rawMessage		`str`	✓

box.unix

Field in union table	Field in source table	Field transformation	Type	Extra fields

Field in union table	Field in source table	Type	Extra fields
eventdate	eventdate	`timestamp`
source	-	`str`
machine	machine	`str`
node	node	`str`
type	auditType	`str`
audit_timestamp	audit_timestamp	`str`
audit_id	audit_id	`str`
pid	pid	`str`
uid	uid	`str`
gid	gid	`str`
auid	auid	`str`
ses	ses	`str`
old_auid	-	`str`
old_ses	-	`str`
op	op	`str`
opType	type	`str`
acct	user	`str`
id	-	`str`
exe	cmd	`str`
hostname	hostname	`str`
addr	addr	`str`
terminal	terminal	`str`
res	res	`str`
comm	comm	`str`
reason	-	`str`
sig	-	`str`
dev	dev	`str`
prom	-	`str`
old_prom	-	`str`
fver	-	`str`
fp	-	`str`
fi	-	`str`
fe	-	`str`
old_pp	-	`str`
old_pi	-	`str`
old_pe	-	`str`
old_pa	-	`str`
pp	-	`str`
pi	-	`str`
pe	-	`str`
pa	-	`str`
grantors	grantors	`str`
kind	-	`str`
direction	-	`str`
spid	-	`str`
suid	suid	`str`
cipher	-	`str`
ksize	-	`str`
mac	-	`str`
pfs	-	`str`
rport	-	`str`
laddr	-	`str`
lport	-	`str`
cwd	cwd	`str`
argc	-	`str`
a0	a0	`str`
a1	a1	`str`
a2	a2	`str`
a3	a3	`str`
tty	tty	`str`
table	-	`str`
family	-	`str`
entries	-	`str`
item	item	`str`
name	name	`str`
inode	inode	`str`
mode	mode	`str`
ouid	ouid	`str`
ogid	ogid	`str`
rdev	rdev	`str`
objtype	-	`str`
cap_fp	cap_fp	`str`
cap_fi	cap_fi	`str`
cap_fe	cap_fe	`str`
cap_fver	cap_fver	`str`
proctitle	proctitle	`str`
arch	arch	`str`
syscall	syscall	`str`
compat	-	`str`
ip	-	`str`
code	-	`str`
unit	-	`str`
saddr	-	`str`
sw	-	`str`
sw_type	-	`str`
key_enforce	-	`str`
gpg_res	-	`str`
root_dir	-	`str`
success	success	`str`
exit	exit	`str`
items	items	`str`
ppid	ppid	`str`
euid	euid	`str`
fsuid	fsuid	`str`
egid	egid	`str`
sgid	sgid	`str`
fsgid	fsgid	`str`
key	key	`str`
new_level	-	`str`
old_level	-	`str`
cmd	-	`str`
user	user	`str`
ctr_id_short	-	`str`
vm_pid	-	`str`
vm	-	`str`
hostchain	hostchain	`str`	✓
tag	tag	`str`	✓
rawMessage	rawMessage	`str`	✓