Syslog - Generic Linux OS: Kernel Audit

Vendor Documentation

N/A

Classification

Rule Name

Rule Type

Common Event

Classification

Kernel Audit

Base Rule

General Kernel Information

Information

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

type

<vmid>

Number

N/A

N/A

<serialnumber>

Number

Records a time stamp and a unique ID of the record in the form audit(time_stamp:ID).

apparmor

<status>

Text/String

The status of the operation.

operation

<action>

Text/String

The system action being attempted.

profile

N/A

N/A

The name of the specific AppArmor profile confining the process.

name

<parentprocesspath>

Text/String

The target file, path, or resource being accessed.

pid

<parentprocessid>

Text/String

The Process ID of the application performing the attempt.

comm

<parentprocessname>

Text/String

The name of the command or executable trying to run the action.

requested_mask

N/A

N/A

The permission the process asked for.

denied_mask

N/A

N/A

The permission AppArmor blocked.

fsuid

N/A

N/A

The Filesystem User ID running the process.

ouid

N/A

N/A

The User ID of the owner of the target file.