LogoLogo
Knowledge BaseCommunityRelease NotesRequest Demo
  • Overview
  • Quick Start
    • Onboarding Guide
  • Data Sources & Transports
    • Supported Logs
      • 1Password Logs
      • Apache Logs
      • AppOmni Logs
      • Asana Logs
      • Atlassian Logs
      • Auditd Logs
      • Auth0 Logs
      • AWS Logs
        • AWS ALB
        • AWS Aurora
        • AWS CloudFront
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS Config
        • AWS EKS
        • AWS GuardDuty
        • AWS Security Hub
        • Amazon Security Lake
        • AWS S3
        • AWS Transit Gateway
        • AWS VPC
        • AWS WAF
      • Azure Monitor Logs
      • Bitwarden Logs
      • Box Logs
      • Carbon Black Logs
      • Cisco Umbrella Logs
      • Cloudflare Logs
      • CrowdStrike Logs
        • CrowdStrike Falcon Data Replicator
        • CrowdStrike Event Streams
      • Docker Logs
      • Dropbox Logs
      • Duo Security Logs
      • Envoy Logs
      • Fastly Logs
      • Fluentd Logs
      • GCP Logs
      • GitHub Logs
      • GitLab Logs
      • Google Workspace Logs
      • Heroku Logs
      • Jamf Pro Logs
      • Juniper Logs
      • Lacework Logs
        • Lacework Alert Channel Webhook
        • Lacework Export
      • Material Security Logs
      • Microsoft 365 Logs
      • Microsoft Entra ID Audit Logs
      • Microsoft Graph Logs
      • MongoDB Atlas Logs
      • Netskope Logs
      • Nginx Logs
      • Notion Logs
      • Okta Logs
      • OneLogin Logs
      • Orca Security Logs (Beta)
      • Osquery Logs
      • OSSEC Logs
      • Proofpoint Logs
      • Push Security Logs
      • Rapid7 Logs
      • Salesforce Logs
      • SentinelOne Logs
      • Slack Logs
      • Snowflake Audit Logs (Beta)
      • Snyk Logs
      • Sophos Logs
      • Sublime Security Logs
      • Suricata Logs
      • Sysdig Logs
      • Syslog Logs
      • Tailscale Logs
      • Teleport Logs
      • Tenable Vulnerability Management Logs
      • Thinkst Canary Logs
      • Tines Logs
      • Tracebit Logs
      • Windows Event Logs
      • Wiz Logs
      • Zeek Logs
      • Zendesk Logs
      • Zoom Logs
      • Zscaler Logs
        • Zscaler ZIA
        • Zscaler ZPA
    • Custom Logs
      • Log Schema Reference
      • Transformations
      • Script Log Parser (Beta)
      • Fastmatch Log Parser
      • Regex Log Parser
      • CSV Log Parser
    • Data Transports
      • HTTP Source
      • AWS Sources
        • S3 Source
        • CloudWatch Logs Source
        • SQS Source
          • SNS Source
        • EventBridge
      • Google Cloud Sources
        • Cloud Storage (GCS) Source
        • Pub/Sub Source
      • Azure Blob Storage Source
    • Monitoring Log Sources
    • Ingestion Filters
      • Raw Event Filters
      • Normalized Event Filters (Beta)
    • Data Pipeline Tools
      • Chronosphere Onboarding Guide
      • Cribl Onboarding Guide
      • Fluent Bit Onboarding Guide
        • Fluent Bit Configuration Examples
      • Fluentd Onboarding Guide
        • General log forwarding via Fluentd
        • MacOS System Logs to S3 via Fluentd
        • Syslog to S3 via Fluentd
        • Windows Event Logs to S3 via Fluentd (Legacy)
        • GCP Audit to S3 via Fluentd
      • Observo Onboarding Guide
      • Tarsal Onboarding Guide
    • Tech Partner Log Source Integrations
  • Detections
    • Using Panther-managed Detections
      • Detection Packs
    • Rules and Scheduled Rules
      • Writing Python Detections
        • Python Rule Caching
        • Data Models
        • Global Helper Functions
      • Modifying Detections with Inline Filters (Beta)
      • Derived Detections (Beta)
        • Using Derived Detections to Avoid Merge Conflicts
      • Using the Simple Detection Builder
      • Writing Simple Detections
        • Simple Detection Match Expression Reference
        • Simple Detection Error Codes
    • Correlation Rules (Beta)
      • Correlation Rule Reference
    • PyPanther Detections (Beta)
      • Creating PyPanther Detections
      • Registering, Testing, and Uploading PyPanther Detections
      • Managing PyPanther Detections in the Panther Console
      • PyPanther Detections Style Guide
      • pypanther Library Reference
      • Using the pypanther Command Line Tool
    • Signals
    • Policies
    • Testing
      • Data Replay (Beta)
    • Framework Mapping and MITRE ATT&CK® Matrix
  • Cloud Security Scanning
    • Cloud Resource Attributes
      • AWS
        • ACM Certificate
        • CloudFormation Stack
        • CloudWatch Log Group
        • CloudTrail
        • CloudTrail Meta
        • Config Recorder
        • Config Recorder Meta
        • DynamoDB Table
        • EC2 AMI
        • EC2 Instance
        • EC2 Network ACL
        • EC2 SecurityGroup
        • EC2 Volume
        • EC2 VPC
        • ECS Cluster
        • EKS Cluster
        • ELBV2 Application Load Balancer
        • GuardDuty Detector
        • GuardDuty Detector Meta
        • IAM Group
        • IAM Policy
        • IAM Role
        • IAM Root User
        • IAM User
        • KMS Key
        • Lambda Function
        • Password Policy
        • RDS Instance
        • Redshift Cluster
        • Route 53 Domains
        • Route 53 Hosted Zone
        • S3 Bucket
        • WAF Web ACL
  • Alerts & Destinations
    • Alert Destinations
      • Amazon SNS Destination
      • Amazon SQS Destination
      • Asana Destination
      • Blink Ops Destination
      • Custom Webhook Destination
      • Discord Destination
      • GitHub Destination
      • Google Pub/Sub Destination (Beta)
      • Incident.io Destination
      • Jira Cloud Destination
      • Jira Data Center Destination (Beta)
      • Microsoft Teams Destination
      • Mindflow Destination
      • OpsGenie Destination
      • PagerDuty Destination
      • Rapid7 Destination
      • ServiceNow Destination (Custom Webhook)
      • Slack Bot Destination
      • Slack Destination (Webhook)
      • Splunk Destination (Beta)
      • Tines Destination
      • Torq Destination
    • Assigning and Managing Alerts
      • Managing Alerts in Slack
    • Alert Runbooks
      • Panther-managed Policies Runbooks
        • AWS CloudTrail Is Enabled In All Regions
        • AWS CloudTrail Sending To CloudWatch Logs
        • AWS KMS CMK Key Rotation Is Enabled
        • AWS Application Load Balancer Has Web ACL
        • AWS Access Keys Are Used Every 90 Days
        • AWS Access Keys are Rotated Every 90 Days
        • AWS ACM Certificate Is Not Expired
        • AWS Access Keys not Created During Account Creation
        • AWS CloudTrail Has Log Validation Enabled
        • AWS CloudTrail S3 Bucket Has Access Logging Enabled
        • AWS CloudTrail Logs S3 Bucket Not Publicly Accessible
        • AWS Config Is Enabled for Global Resources
        • AWS DynamoDB Table Has Autoscaling Targets Configured
        • AWS DynamoDB Table Has Autoscaling Enabled
        • AWS DynamoDB Table Has Encryption Enabled
        • AWS EC2 AMI Launched on Approved Host
        • AWS EC2 AMI Launched on Approved Instance Type
        • AWS EC2 AMI Launched With Approved Tenancy
        • AWS EC2 Instance Has Detailed Monitoring Enabled
        • AWS EC2 Instance Is EBS Optimized
        • AWS EC2 Instance Running on Approved AMI
        • AWS EC2 Instance Running on Approved Instance Type
        • AWS EC2 Instance Running in Approved VPC
        • AWS EC2 Instance Running On Approved Host
        • AWS EC2 Instance Running With Approved Tenancy
        • AWS EC2 Instance Volumes Are Encrypted
        • AWS EC2 Volume Is Encrypted
        • AWS GuardDuty is Logging to a Master Account
        • AWS GuardDuty Is Enabled
        • AWS IAM Group Has Users
        • AWS IAM Policy Blocklist Is Respected
        • AWS IAM Policy Does Not Grant Full Administrative Privileges
        • AWS IAM Policy Is Not Assigned Directly To User
        • AWS IAM Policy Role Mapping Is Respected
        • AWS IAM User Has MFA Enabled
        • AWS IAM Password Used Every 90 Days
        • AWS Password Policy Enforces Complexity Guidelines
        • AWS Password Policy Enforces Password Age Limit Of 90 Days Or Less
        • AWS Password Policy Prevents Password Reuse
        • AWS RDS Instance Is Not Publicly Accessible
        • AWS RDS Instance Snapshots Are Not Publicly Accessible
        • AWS RDS Instance Has Storage Encrypted
        • AWS RDS Instance Has Backups Enabled
        • AWS RDS Instance Has High Availability Configured
        • AWS Redshift Cluster Allows Version Upgrades
        • AWS Redshift Cluster Has Encryption Enabled
        • AWS Redshift Cluster Has Logging Enabled
        • AWS Redshift Cluster Has Correct Preferred Maintenance Window
        • AWS Redshift Cluster Has Sufficient Snapshot Retention Period
        • AWS Resource Has Minimum Number of Tags
        • AWS Resource Has Required Tags
        • AWS Root Account Has MFA Enabled
        • AWS Root Account Does Not Have Access Keys
        • AWS S3 Bucket Name Has No Periods
        • AWS S3 Bucket Not Publicly Readable
        • AWS S3 Bucket Not Publicly Writeable
        • AWS S3 Bucket Policy Does Not Use Allow With Not Principal
        • AWS S3 Bucket Policy Enforces Secure Access
        • AWS S3 Bucket Policy Restricts Allowed Actions
        • AWS S3 Bucket Policy Restricts Principal
        • AWS S3 Bucket Has Versioning Enabled
        • AWS S3 Bucket Has Encryption Enabled
        • AWS S3 Bucket Lifecycle Configuration Expires Data
        • AWS S3 Bucket Has Logging Enabled
        • AWS S3 Bucket Has MFA Delete Enabled
        • AWS S3 Bucket Has Public Access Block Enabled
        • AWS Security Group Restricts Ingress On Administrative Ports
        • AWS VPC Default Security Group Restricts All Traffic
        • AWS VPC Flow Logging Enabled
        • AWS WAF Has Correct Rule Ordering
        • AWS CloudTrail Logs Encrypted Using KMS CMK
      • Panther-managed Rules Runbooks
        • AWS CloudTrail Modified
        • AWS Config Service Modified
        • AWS Console Login Failed
        • AWS Console Login Without MFA
        • AWS EC2 Gateway Modified
        • AWS EC2 Network ACL Modified
        • AWS EC2 Route Table Modified
        • AWS EC2 SecurityGroup Modified
        • AWS EC2 VPC Modified
        • AWS IAM Policy Modified
        • AWS KMS CMK Loss
        • AWS Root Activity
        • AWS S3 Bucket Policy Modified
        • AWS Unauthorized API Call
    • Tech Partner Alert Destination Integrations
  • Investigations & Search
    • Search
      • Search Filter Operators
    • Data Explorer
      • Data Explorer SQL Search Examples
        • CloudTrail logs queries
        • GitHub Audit logs queries
        • GuardDuty logs queries
        • Nginx and ALB Access logs queries
        • Okta logs queries
        • S3 Access logs queries
        • VPC logs queries
    • Visualization and Dashboards
      • Custom Dashboards (Beta)
      • Panther-Managed Dashboards
    • Standard Fields
    • Saved and Scheduled Searches
      • Templated Searches
        • Behavioral Analytics and Anomaly Detection Template Macros (Beta)
      • Scheduled Search Examples
    • Search History
    • Data Lakes
      • Snowflake
        • Snowflake Configuration for Optimal Search Performance
      • Athena
  • PantherFlow (Beta)
    • PantherFlow Quick Reference
    • PantherFlow Statements
    • PantherFlow Operators
      • Datatable Operator
      • Extend Operator
      • Join Operator
      • Limit Operator
      • Project Operator
      • Range Operator
      • Sort Operator
      • Search Operator
      • Summarize Operator
      • Union Operator
      • Visualize Operator
      • Where Operator
    • PantherFlow Data Types
    • PantherFlow Expressions
    • PantherFlow Functions
      • Aggregation Functions
      • Date/time Functions
      • String Functions
      • Array Functions
      • Math Functions
      • Control Flow Functions
      • Regular Expression Functions
      • Snowflake Functions
      • Data Type Functions
      • Other Functions
    • PantherFlow Example Queries
      • PantherFlow Examples: Threat Hunting Scenarios
      • PantherFlow Examples: SOC Operations
      • PantherFlow Examples: Panther Audit Logs
  • Enrichment
    • Custom Lookup Tables
      • Creating a GreyNoise Lookup Table
      • Lookup Table Examples
        • Using Lookup Tables: 1Password UUIDs
      • Lookup Table Specification Reference
    • Identity Provider Profiles
      • Okta Profiles
      • Google Workspace Profiles
    • Anomali ThreatStream
    • IPinfo
    • Snowflake Enrichment (Beta)
    • Tor Exit Nodes
    • TrailDiscover (Beta)
  • Panther AI (Beta)
    • Managing Panther AI Response History
  • System Configuration
    • Role-Based Access Control
    • Identity & Access Integrations
      • Azure Active Directory SSO
      • Duo SSO
      • G Suite SSO
      • Okta SSO
        • Okta SCIM
      • OneLogin SSO
      • Generic SSO
    • Panther Audit Logs
      • Querying and Writing Detections for Panther Audit Logs
      • Panther Audit Log Actions
    • Notifications and Errors (Beta)
      • System Errors
    • Panther Deployment Types
      • SaaS
      • Cloud Connected
        • Setting Up a Cloud Connected Panther Instance
      • Legacy Configurations
        • Snowflake Connected (Legacy)
        • Customer-configured Snowflake Integration (Legacy)
        • Self-Hosted Deployments (Legacy)
          • Runtime Environment
  • Panther Developer Workflows
    • Panther Developer Workflows Overview
    • Using panther-analysis
      • Public Fork
      • Private Clone
      • Panther Analysis Tool
        • Install, Configure, and Authenticate with the Panther Analysis Tool
        • Panther Analysis Tool Commands
        • Managing Lookup Tables and Enrichment Providers with the Panther Analysis Tool
      • CI/CD for Panther Content
        • Deployment Workflows Using Panther Analysis Tool
          • Managing Panther Content via CircleCI
          • Managing Panther Content via GitHub Actions
        • Migrating to a CI/CD Workflow
    • Panther API
      • REST API (Beta)
        • Alerts
        • Alert Comments
        • API Tokens
        • Data Models
        • Globals
        • Log Sources
        • Queries
        • Roles
        • Rules
        • Scheduled Rules
        • Simple Rules
        • Policies
        • Users
      • GraphQL API
        • Alerts & Errors
        • Cloud Account Management
        • Data Lake Queries
        • Log Source Management
        • Metrics
        • Schemas
        • Token Rotation
        • User & Role Management
      • API Playground
    • Terraform
      • Managing AWS S3 Log Sources with Terraform
      • Managing HTTP Log Sources with Terraform
    • pantherlog Tool
    • Converting Sigma Rules
    • MCP Server (Beta)
  • Resources
    • Help
      • Operations
      • Security and Privacy
        • Security Without AWS External ID
      • Glossary
      • Legal
    • Panther System Architecture
Powered by GitBook
On this page
  • Overview
  • How to onboard auditd audit logs to Panther
  • Step 1: Create a new auditd log source in Panther
  • Step 2: Configure Fluent Bit
  • Supported log types
  • Linux.Auditd

Was this helpful?

  1. Data Sources & Transports
  2. Supported Logs

Auditd Logs

Stream auditd logs directly to Panther over HTTPS

PreviousAtlassian LogsNextAuth0 Logs

Last updated 5 months ago

Was this helpful?

Overview

Panther supports ingesting logs, created by Linux Audit Daemon, by streaming them to an , after they are forwarded with

How to onboard auditd audit logs to Panther

Step 1: Create a new auditd log source in Panther

  1. In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Auditd," then click its tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.

  4. Click Start Setup.

  5. Follow Panther's , beginning at Step 5.

    • When setting the Auth method for the source, we recommend using .

    • Payloads sent to this source are subject to the .

    • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Configure Fluent Bit

    • [INPUT] variables:

      • Name: Set this to to tail and

      • Path: Set this as the path to your log file.

    • [OUTPUT] variables:

      • Host: Enter your Panther URL.

        • Example: logs.instance-name.runpanther.net

      • URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with /http/.

        • Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a

      • Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.

      • Name: Set to http.

      • TLS: Set to ON.

      • Port: Set to 443.

    [SERVICE]
        Flush      1
    
    [INPUT]
        Name       tail
        Path       /var/log/audit/audit.log
    
    [OUTPUT]
        Name       http
        Match      *
        Host       logs.instance-name.runpanther.net
        Port       443
        URI        /http/cb015ee4-543c-4489-9f4b-testaa16d7a
        Header     x-sender-header {YOUR_SECRET_HERE}
        Format     json_lines
        TLS        On
        TLS.Verify On
  1. Start Fluent Bit, passing the path to your new config file.

Supported log types

Linux.Auditd

The following defines the Linux audit log schema:

schema: Linux.Auditd
description: Linux audit log
referenceURL: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
fields:
  - name: type
    required: true
    description: Audit Record Type. See https://access.redhat.com/articles/4409591#audit-record-types-2 for a full list
    type: string
  - name: a0
    description: Records the first argument of the system call, encoded in hexadecimal notation.
    type: string
  - name: a1
    description: Records the second argument of the system call, encoded in hexadecimal notation.
    type: string
  - name: a2
    description: Records the third argument of the system call, encoded in hexadecimal notation.
    type: string
  - name: a3
    description: Records the fourth argument of the system call, encoded in hexadecimal notation.
    type: string
  - name: acct
    description: Record the user account name under which the process was executed.
    type: string
  - name: action
    description: Records the action taking place in an integrity policy rule.
    type: string
  - name: appraise_type
    description: Records the appraisal type used in an integrity policy rule.
    type: string
  - name: addr
    description: Records the IPv4 or IPv6 address. This field usually follows a hostname field and contains the address the host name resolves to.
    type: string
    indicators:
      - ip
  - name: arch
    description: Records information about the CPU architecture of the system, encoded in hexadecimal notation.
    type: string
  - name: calipso_doi
    description: Records the DOI of an RFC5570 Calipso entry.
    type: string
  - name: calipso_type
    description: Records the type of an RFC5570 Calipso entry.
    type: string
  - name: capability
    description: Records the number of bits that were used to set a particular Linux capability. For more information on Linux capabilities, see the capabilities(7) man page.
    type: string
  - name: cap_fe
    description: Records data related to the setting of the effective file system-based capability bit.
    type: string
  - name: cap_fi
    description: Records data related to the setting of an inherited file system-based capability.
    type: string
  - name: cap_fp
    description: Records data related to the setting of a permitted file system-based capability.
    type: string
  - name: cap_fver
    description: Records the version of a file system-based capability.
    type: string
  - name: cap_pe
    description: Records data related to the setting of an effective process-based capability.
    type: string
  - name: cap_pi
    description: Records data related to the setting of an inherited process-based capability.
    type: string
  - name: cap_pp
    description: Records data related to the setting of a permitted process-based capability.
    type: string
  - name: cause
    description: Records the cause in an integrity policy rule.
    type: string
  - name: cgroup
    description: Records the path to the cgroup that contains the process at the time the Audit event was generated.
    type: string
  - name: cmd
    description: Records the entire command line that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the cmd field records the rest of the command line that is executed, for example helloworld.sh --help.
    type: string
  - name: code
    description: Records the seccomp action.
    type: string
  - name: comm
    description: Records the command that is executed. This is useful in case of shell interpreters where the exe field records, for example, /bin/bash as the shell interpreter and the comm field records the name of the script that is executed, for example helloworld.sh.
    type: string
  - name: compat
    description: Records the syscall compatibility mode in a seccomp action.
    type: string
  - name: cwd
    description: Records the path to the directory in which a system call was invoked.
    type: string
  - name: data
    description: Records data associated with TTY records.
    type: string
  - name: dev
    description: Records the minor and major ID of the device that contains the file or directory recorded in an event.
    type: string
  - name: devmajor
    description: Records the major device ID.
    type: string
  - name: devminor
    description: Records the minor device ID.
    type: string
  - name: exe
    description: Records the path to the executable that was used to invoke the analyzed process.
    type: string
  - name: exit
    description: 'Records the exit code returned by a system call. This value varies by system call. You can interpret the value to its human-readable equivalent with the following command: ausearch --interpret --exit exit_code'
    type: string
  - name: family
    description: Records the type of address protocol that was used, either IPv4 or IPv6.
    type: string
  - name: feature
    description: Records the audit feature being set or cleared.
    type: string
  - name: file
    description: Records the file involved in an integrity measurement.
    type: string
  - name: filetype
    description: Records the type of the file.
    type: string
  - name: flags
    description: Records the file system name flags.
    type: string
  - name: fowner
    description: Records the file owner used in an integrity policy rule.
    type: string
  - name: fsgid
    description: Records the file system group ID of the user who started the analyzed process.
    type: string
  - name: fsmagic
    description: Records the filesystem magic used in an integrity policy rule.
    type: string
  - name: fsuuid
    description: Records the fsuuid used in an integrity policy rule.
    type: string
  - name: fsuid
    description: Records the file system user ID of the user who started the analyzed process.
    type: string
  - name: func
    description: Records the function involved in an integrity policy rule.
    type: string
  - name: hash
    description: Records the hash of a file involved in an integrity measurement.
    type: string
  - name: hostname
    description: Records the host name.
    type: string
    indicators:
      - hostname
  - name: icmptype
    description: Records the type of a Internet Control Message Protocol (ICMP) package that is received. Audit messages containing this field are usually generated by iptables.
    type: string
  - name: id
    description: Records the user ID of an account that was changed.
    type: string
  - name: inode
    description: Records the inode number associated with the file or directory recorded in an Audit event.
    type: string
  - name: inode_gid
    description: Records the group ID of the inode's owner.
    type: string
  - name: inode_uid
    description: Records the user ID of the inode's owner.
    type: string
  - name: ip
    description: Records the instruction pointer in a seccomp action.
    type: string
    indicators:
      - ip
  - name: items
    description: Records the number of path records that are attached to this record.
    type: string
  - name: key
    description: Records the user defined string associated with a rule that generated a particular event in the Audit log.
    type: string
  - name: list
    description: 'Records the Audit rule list ID. The following is a list of known IDs: 0 — user, 1 — task, 4 — exit, 5 — exclude'
    type: string
  - name: mode
    description: Records the file or directory permissions, encoded in numerical notation.
    type: string
  - name: msgtype
    description: Records the message type that is returned in case of a user-based AVC denial. The message type is determined by D-Bus.
    type: string
  - name: name
    description: Records the full path of the file or directory that was passed to the system call as an argument.
    type: string
  - name: new-disk
    description: Records the name of a new disk resource that is assigned to a virtual machine.
    type: string
  - name: new-mem
    description: Records the amount of a new memory resource that is assigned to a virtual machine.
    type: string
  - name: new-vcpu
    description: Records the number of a new virtual CPU resource that is assigned to a virtual machine.
    type: string
  - name: new-net
    description: Records the MAC address of a new network interface resource that is assigned to a virtual machine.
    type: string
  - name: new_gid
    description: Records a group ID that is assigned to a user.
    type: string
  - name: new_lock
    description: Records the new value of a lock being set on an audit feature.
    type: string
  - name: nsec
    description: Records the number of nanoseconds by which the system clock was shifted.
    type: string
  - name: ocomm
    description: Records the command that was used to start the target process.This field is exclusive to the record of type OBJ_PID.
    type: string
  - name: old_lock
    description: Records the old value of a lock being set on an audit feature.
    type: string
  - name: oses
    description: Records the session ID of the target process. This field is exclusive to the record of type OBJ_PID.
    type: string
  - name: obj
    description: Records the SELinux context of an object. An object can be a file, a directory, a socket, or anything that is receiving the action of a subject.
    type: string
  - name: objtype
    description: Records the intent of the PATH record object in the context of a syscall.
    type: string
  - name: obj_gid
    description: Records the group ID of an object.
    type: string
  - name: obj_lev_high
    description: Records the high SELinux level of an object.
    type: string
  - name: obj_lev_low
    description: Records the low SELinux level of an object.
    type: string
  - name: obj_role
    description: Records the SELinux role of an object.
    type: string
  - name: obj_type
    description: Records the type of an object.
    type: string
  - name: obj_uid
    description: Records the UID of an object
    type: string
  - name: obj_user
    description: Records the user that is associated with an object.
    type: string
  - name: old-disk
    description: Records the name of an old disk resource when a new disk resource is assigned to a virtual machine.
    type: string
  - name: old-mem
    description: Records the amount of an old memory resource when a new amount of memory is assigned to a virtual machine.
    type: string
  - name: old-vcpu
    description: Records the number of an old virtual CPU resource when a new virtual CPU is assigned to a virtual machine.
    type: string
  - name: old-net
    description: Records the MAC address of an old network interface resource when a new network interface is assigned to a virtual machine.
    type: string
  - name: old_prom
    description: Records the previous value of the network promiscuity flag.
    type: string
  - name: path
    description: Records the full path of the file or directory that was passed to the system call as an argument in case of AVC-related Audit events
    type: string
  - name: perm
    description: Records the file permission that was used to generate an event (that is, read, write, execute, or attribute change)
    type: string
  - name: ppid
    description: Records the Parent Process ID (PID).
    type: string
  - name: proctitle
    description: Records the full command-line of the command that was used to invoke the analyzed process. The field is encoded in hexadecimal notation to not allow the user to influence the Audit log parser. The text decodes to the command that triggered this Audit event. When searching Audit records with the ausearch command, use the -i or --interpret option to automatically convert hexadecimal values into their human-readable equivalents.
    type: string
  - name: prom
    description: Records the network promiscuity flag.
    type: string
  - name: proto
    description: Records the networking protocol that was used. This field is specific to Audit events generated by iptables.
    type: string
  - name: res
    description: Records the result of the operation that triggered the Audit event.
    type: string
  - name: resp
    description: Records the response from an fanotify access control decision.
    type: string
  - name: result
    description: Records the result of the operation that triggered the Audit event.
    type: string
  - name: saddr
    description: Records the socket address.
    type: string
  - name: sec
    description: Records the number of seconds by which the system clock was shifted.
    type: string
  - name: ses
    description: Records the session ID of the session from which the analyzed process was invoked.
    type: string
  - name: sig
    description: Records the number of a signal that causes a program to end abnormally. Usually, this is a sign of a system intrusion.
    type: string
  - name: subj
    description: Records the SELinux context of a subject. A subject can be a process, a user, or anything that is acting upon an object.
    type: string
  - name: subj_clr
    description: Records the SELinux clearance of a subject.
    type: string
  - name: subj_role
    description: Records the SELinux role of a subject.
    type: string
  - name: subj_sen
    description: Records the SELinux sensitivity of a subject.
    type: string
  - name: subj_type
    description: Records the type of a subject.
    type: string
  - name: subj_user
    description: Records the user that is associated with a subject.
    type: string
  - name: success
    description: Records whether a system call was successful or failed.
    type: string
  - name: syscall
    description: Records the type of the system call that was sent to the kernel.
    type: string
  - name: terminal
    description: Records the terminal name (without /dev/).
    type: string
  - name: tty
    description: Records the name of the controlling terminal. The value (none) is used if the process has no controlling terminal.
    type: string
  - name: vm
    description: Records the name of a virtual machine from which the Audit event originated.
    type: string
  - name: xattr
    description: Records the set of extended attributes modified and protected by EVM.
    type: string
  - name: pid
    description: The pid field semantics depend on the origin of the value in this field. In fields generated from user-space, this field holds a process ID. In fields generated by the kernel, this field holds a thread ID. The thread ID is equal to process ID for single-threaded processes. Note that the value of this thread ID is different from the values of pthread_t IDs used in user-space. For more information, see the gettid(2) man page.
    type: string
  - name: sauid
    description: Records the sender Audit login user ID. This ID is provided by D-Bus as the kernel is unable to see which user is sending the original auid.
    type: string
  - name: sgid
    description: Records the set group ID of the user who started the analyzed process.
    type: string
  - name: oauid
    description: Records the user ID of the user that has logged in to access the system (as opposed to, for example, using su) and has started the target process. This field is exclusive to the record of type OBJ_PID.
    type: string
  - name: opid
    description: Records the process ID of the target process. This field is exclusive to the record of type OBJ_PID.
    type: string
  - name: ouid
    description: Records the real user ID of the target process
    type: string
  - name: ogid
    description: Records the object owner's group ID.
    type: string
  - name: uid
    description: Records the real user ID of the user who started the analyzed process.
    type: string
    indicators:
      - actor_id
  - name: suid
    description: Records the set user ID of the user who started the analyzed process.
    type: string
  - name: egid
    description: Records the effective group ID of the user who started the analyzed process.
    type: string
  - name: auid
    description: Records the Audit user ID. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su -john).
    type: string
  - name: euid
    description: Records the effective user ID of the user who started the analyzed process.
    type: string
  - name: gid
    description: Records the group ID.
    type: string
  - name: extra_message_fields
    description: Panther defined field. A msg field in an auditd log can contain arbitrary key value pairs that we structure into a map
    type: json
  - name: timestamp
    required: true
    description: When the audit event occurred
    type: timestamp
    timeFormats:
      - unix
    isEventTime: true
  - name: eventId
    description: Id of the audit event. Note that multiple records can share the same time stamp and ID if they were generated as part of the same Audit event
    type: string

Follow the to install Fluent Bit as a service.

Create a .

Getting Started with Fluent Bit instructions
Fluent Bit configuration file
auditd
HTTP Source
Fluent Bit.
instructions for configuring an HTTP Source
Shared Secret
payload requirements for all HTTP sources