Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
PATH Messages |
Base Rule |
System Audit Event |
Other Audit |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
type |
<vmid> |
Text/String |
Type of the record. |
|
msg |
<serialnumber> |
Number |
Records a time stamp and a unique ID of the record in the form audit(time_stamp:ID). |
|
item |
N/A |
N/A |
Indicates which item, of the total number of items referenced in the |
|
name |
<parentprocesspath> |
Text/String |
Records the full path of the file or directory that was passed to the system call as an argument. |
|
inode |
N/A |
N/A |
Records the inode number associated with the file or directory recorded in an Audit event. |
|
dev |
N/A |
N/A |
Records the minor and major ID of the device that contains the file or directory recorded in an event. |
|
mode |
N/A |
N/A |
Records the file or directory permissions, encoded in numerical notation. |
|
ouid |
<login> |
Number |
Records the real user ID of the target process |
|
ogid |
<group> |
Number |
Records the object owner's group ID. |
|
rdev |
N/A |
N/A |
Contains a recorded device identifier for special files only. |
|
nametype |
<objecttype> |
Text/String |
Records the intent of the PATH record object in the context of a syscall. |
|
cap_fp |
N/A |
N/A |
Records data related to the setting of a permitted file system-based capability. |
|
cap_fi |
N/A |
N/A |
Records data related to the setting of an inherited file system-based capability. |
|
cap_fe |
N/A |
N/A |
Records data related to the setting of the effective file system-based capability bit. |
|
cap_fver |
N/A |
N/A |
Records the version of a file system-based capability. |
|
cap_frootid |
N/A |
N/A |
N/A |
|
OUID |
<login> |
Text/String |
Records the object owner's user ID. |
|
OGID |
<group> |
Text/String |
Records the object owner's group ID. |