Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
SYSCALL Messages |
Base Rule |
System Call |
Other Audit Success |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
type |
<vmid> |
Text/String |
Type of the record. |
|
msg |
<serialnumber> |
Number |
Records a time stamp and a unique ID of the record in the form audit(time_stamp:ID). |
|
arch |
N/A |
N/A |
Records information about the CPU architecture of the system, encoded in hexadecimal notation. |
|
syscall |
N/A |
N/A |
Records the type of the system call that was sent to the kernel. |
|
success |
<result> |
Text/String |
Records whether a system call was successful or failed. |
|
exit |
N/A |
N/A |
Records the exit code returned by a system call. This value varies by system call. You can interpret the value to its human-readable equivalent with the following command: |
|
a0, a1, a2, a3, a4 |
N/A |
N/A |
Records the first four arguments of the system call, encoded in hexadecimal notation. |
|
items |
N/A |
N/A |
Records the number of path records that are attached to this record. |
|
ppid |
<parentprocessid> |
Number |
Records the Parent Process ID (PID). |
|
pid |
<processid> |
Number |
Records the Process ID (PID). |
|
auid |
N/A |
N/A |
Records the Audit user ID, that is the loginuid. |
|
uid |
<login> |
Number |
Records the user ID of the user who started the analyzed process. |
|
gid |
<group> |
Number |
Records the group ID of the user who started the analyzed process. |
|
euid |
N/A |
N/A |
Records the effective user ID of the user who started the analyzed process. |
|
suid |
N/A |
N/A |
Records the set user ID of the user who started the analyzed process. |
|
fsuid |
N/A |
N/A |
Records the file system user ID of the user who started the analyzed process. |
|
egid |
N/A |
N/A |
Records the effective group ID of the user who started the analyzed process. |
|
sgid |
N/A |
N/A |
Records the set group ID of the user who started the analyzed process. |
|
fsgid |
N/A |
N/A |
Records the file system group ID of the user who started the analyzed process. |
|
tty |
<sessiontype> |
Text/String |
Records the terminal from which the analyzed process was invoked. |
|
ses |
<session> |
Number |
Records the session ID of the session from which the analyzed process was invoked. |
|
comm |
<parentprocessname> |
Text/String |
Records the command-line name of the command that was used to invoke the analyzed process. |
|
exe |
<parentprocesspath> |
Text/String |
Records the path to the executable that was used to invoke the analyzed process. |
|
key |
N/A |
N/A |
Records the user defined string associated with a rule that generated a particular event in the Audit log. |