Link Search Menu Expand Document Documentation Menu

Linux

The linux log type records Linux syslog events.

The following code snippet contains all the raw_field and ecs mappings for this log type:

  "mappings": [
    {
      "raw_field":"name",
      "ecs":"user.filesystem.name"
    },
    {
      "raw_field":"a0",
      "ecs":"auditd.log.a0"
    },
    {
      "raw_field":"comm",
      "ecs":"auditd.log.comm"
    },
    {
      "raw_field":"exe",
      "ecs":"auditd.log.exe"
    },
    {
      "raw_field":"uid",
      "ecs":"auditd.log.uid"
    },
    {
      "raw_field":"USER",
      "ecs":"system.auth.user"
    },
    {
      "raw_field":"User",
      "ecs":"system.auth.user"
    },
    {
      "raw_field":"Image",
      "ecs":"process.exe"
    },
    {
      "raw_field":"DestinationHostname",
      "ecs":"rsa.web.remote_domain"
    },
    {
      "raw_field":"CommandLine",
      "ecs":"process.command_line"
    },
    {
      "raw_field":"ParentImage",
      "ecs":"process.parent.executable"
    },
    {
      "raw_field":"CurrentDirectory",
      "ecs":"process.working_directory"
    },
    {
      "raw_field":"LogonId",
      "ecs":"process.real_user.id"
    },
    {
      "raw_field":"creationTime",
      "ecs":"timestamp"
    }
  ]
350 characters left

Have a question? .

Want to contribute? or .