NAME,FORMAT,MEANING,EXCEPTION
a[0-3],numeric hexadecimal,the arguments to a syscall,syscall
a[[:digit:]+]\[.*\],encoded,the arguments to the execve syscall,execve
acct,encoded,a user's account name,
acl,alphabet,access mode of resource assigned to vm,
action,numeric,netfilter packet disposition,
added,numeric,number of new files detected,
addr,encoded,the remote address that the user is connecting from,
apparmor,encoded,apparmor event information,
arch,numeric hexadecimal,the elf architecture flags,
argc,numeric decimal,the number of arguments to an execve syscall,
audit_backlog_limit,numeric decimal,audit system's backlog queue size,
audit_backlog_wait_time,numeric decimal,audit system's backlog wait time,
audit_enabled,numeric decimal,audit systems's enable/disable status,
audit_failure,numeric decimal,audit system's failure mode,
auid,numeric decimal,login user ID,
banners,alphanumeric,banners used on printed page,
bool,alphanumeric,name of SELinux boolean,
bus,alphanumeric,name of subsystem bus a vm resource belongs to,
capability,numeric decimal,posix capabilities,
cap_fe,numeric decimal,file assigned effective capability map,
cap_fi,numeric hexadecimal,file inherited capability map,
cap_fp,numeric hexadecimal,file permitted capability map,
cap_fver,numeric hexadecimal,file system capabilities version number,
cap_pa,numeric hexadecimal,process ambient capability map,
cap_pe,numeric hexadecimal,process effective capability map,
cap_pi,numeric hexadecimal,process inherited capability map,
cap_pp,numeric hexadecimal,process permitted capability map,
category,alphabet,resource category assigned to vm,
cgroup,encoded,path to cgroup in sysfs,
changed,numeric decimal,number of changed files,
cipher,alphanumeric,name of crypto cipher selected,
class,alphabet,resource class assigned to vm,
cmd,encoded,command being executed,
code,numeric hexadecimal,seccomp action code,
comm,encoded,command line program name,
compat,numeric decimal,is_compat_task result,
cwd,encoded,the current working directory,
daddr,alphanumeric,remote IP address,
data,encoded,TTY text,
default-context,alphanumeric,default MAC context,
dev,numeric hexadecimal-tuple,in path records,major and minor for device
dev,alphanumeric,device name as found in /dev,avc
device,encoded,device name,
dir,encoded,directory name,
direction,alphanumeric,direction of crypto operation,
dmac,numeric,remote MAC address,
dport,numeric decimal,remote port number,
egid,numeric decimal,effective group ID,
enforcing,numeric decimal,new MAC enforcement status,
entries,numeric decimal,number of entries in the netfilter table,
errno,numeric decimal,error code of the audited operation,
euid,numeric decimal,effective user ID,
exe,encoded,executable name,
exit,numeric decimal,syscall exit code,
fam,alphanumeric,socket address family,
family,numeric decimal,netfilter protocol,
fd,numeric decimal,file descriptor number,
file,encoded,file name,
flags,numeric hexadecimal,mmap syscall flags,
fe,numeric decimal,file assigned effective capability map,
feature,alphanumeric,kernel feature being changed,
fi,numeric hexadecimal,file assigned inherited capability map,
fp,numeric hexadecimal,file assigned permitted capability map,
fp,alphanumeric,crypto key finger print,crypto_key
format,alphanumeric,audit log's format,
fsgid,numeric decimal,file system group ID,
fsuid,numeric decimal,file system user ID,
fver,numeric hexadecimal,file system capabilities version number,
gid,numeric decimal,group ID,
grantors,alphanumeric,pam modules approving the action,
grp,encoded,group name,
hook,numeric,netfilter hook that packet came from,
hostname,alphanumeric,the hostname that the user is connecting from,
icmp_type,numeric,type of icmp message,
id,numeric,during account changes,the user ID of the account
igid,numeric decimal,ipc object's group ID,
img-ctx,alphanumeric,the vm's disk image context string,
inif,numeric,in interface number,
ip,alphanumeric,network address of a printer,
ipid,numeric decimal,IP datagram fragment identifier,
ino,numeric decimal,inode number,
inode,numeric decimal,inode number,
inode_gid,numeric decimal,group ID of the inode's owner,
inode_uid,numeric decimal,user ID of the inode's owner,
invalid_context,encoded,SELinux context,
ioctlcmd,numeric hexadecimal,The request argument to the ioctl syscall,
ipx-net,numeric,IPX network number,
item,numeric decimal,which item is being recorded,
items,numeric decimal,the number of path records in the event,
iuid,numeric decimal,ipc object's user ID,
kernel,alphanumeric,kernel's version number,
key,encoded,key assigned from triggered audit rule,
kind,alphabet,server or client in crypto operation,
ksize,numeric,key size for crypto operation,
laddr,alphanumeric,local network address,
len,numeric decimal,length,
lport,numeric decimal,local network port,
list,numeric decimal,the audit system's filter list number,
mac,alphanumeric,crypto MAC algorithm selected,
macproto,numeric,ethernet packet type ID field,
maj,numeric,device major number,
major,numeric decimal,device major number,
minor,numeric decimal,device minor number,
mode,numeric octal,mode flags on a file,
model,alphanumeric,security model being used for virt,
msg,alphanumeric,the payload of the audit record,
nargs,numeric decimal,the number of arguments to a socket call,
name,encoded,file name in avcs,
nametype,alphabet,kind of file operation being referenced,
net,alphanumeric,network MAC address,
new,numeric,value being set in feature,
new-chardev,encoded,new character device being assigned to vm,
new-disk,encoded,disk being added to vm,
new-enabled,numeric decimal,new TTY audit enabled setting,
new-fs,encoded,file system being added to vm,
new_gid,numeric decimal,new group ID being assigned,
new-level,alphanumeric,new run level,
new_lock,numeric decimal,new value of feature lock,
new-log_passwd,numeric decimal,new value for TTY password logging,
new-mem,numeric,new amount of memory in KB,
new-net,encoded,MAC address being assigned to vm,
new_pe,numeric,new process effective capability map(deprec),
new_pi,numeric,new process inherited capability map(deprec),
new_pp,numeric,new process permitted capability map(deprec),
new-range,alphanumeric,new SELinux range,
new-rng,encoded,device name of rng being added from a vm,
new-role,alphanumeric,new SELinux role,
new-seuser,alphanumeric,new SELinux user,
new-vcpu,numeric,new number of CPU cores,
nlnk-fam,numeric,netlink protocol number,
nlnk-grp,numeric,netlink group number,
nlnk-pid,numeric decimal,pid of netlink packet sender,
oauid,numeric decimal,object's login user ID,
obj,alphanumeric,lspp object context string,
obj_gid,numeric decimal,group ID of object,
obj_uid,numeric decimal,user ID of object,
oflag,numeric,open syscall flags,
ogid,numeric decimal,file owner group ID,
ocomm,encoded,object's command line name,
old,numeric,present value of kernel feature,
old,numeric,old value,audit_enabled audit_backlog audit_failure value
old-auid,numeric decimal,previous auid value,
old-chardev,encoded,present character device assigned to vm,
old-disk,encoded,disk being removed from vm,
old-enabled,numeric decimal,present TTY audit enabled setting,
old_enforcing,numeric decimal,old MAC enforcement status,
old-fs,encoded,file system being removed from vm,
old-level,alphanumeric,old run level,
old_lock,numeric decimal,present value of feature lock,
old-log_passwd,numeric decimal,present value for TTY password logging,
old-mem,numeric,present amount of memory in KB,
old-net,encoded,present MAC address assigned to vm,
old_pa,numeric hexadecimal,old process ambient capability map,
old_pe,numeric hexadecimal,old process effective capability map,
old_pi,numeric hexadecimal,old process inherited capability map,
old_pp,numeric hexadecimal,old process permitted capability map,
old_prom,numeric decimal,network promiscuity flag,
old-range,alphanumeric,present SELinux range,
old-rng,encoded,device name of rng being removed from a vm,
old-role,alphanumeric,present SELinux role,
old-ses,numeric decimal,previous ses value,
old-seuser,alphanumeric,present SELinux user,
old_val,numeric decimal,current value of SELinux boolean,
old-vcpu,numeric,present number of CPU cores,
op,alphanumeric,the operation being performed that is audited,
opid,numeric decimal,object's process ID,
oses,numeric decimal,object's session ID,
ouid,numeric decimal,file owner user ID,
outif,numeric,out interface number,
pa,numeric hexadecimal,process ambient capability map,
pe,numeric hexadecimal,process effective capability map,
pi,numeric hexadecimal,process inherited capability map,
pp,numeric hexadecimal,process permitted capability map,
parent,numeric,the inode number of the parent file,
path,encoded,file system path name,
per,numeric hexadecimal,linux personality,
perm,numeric,the file permission being used,
perm_mask,numeric,file permission mask that triggered a watch event,
permissive,numeric decimal,SELinux is in permissive mode,
pfs,alphanumeric,perfect forward secrecy method,
pid,numeric decimal,process ID,
ppid,numeric decimal,parent process ID,
printer,alphanumeric,printer name,
prom,numeric decimal,network promiscuity flag,
proctitle,encoded,process title and command line parameters,
proto,numeric decimal,network protocol,
qbytes,numeric hexadecimal,ipc objects quantity of bytes,
range,alphanumeric,user's SE Linux range,
rdev,numeric hexadecimal-tuple,the device identifier (special files only),
reason,alphanumeric,text string denoting a reason for the action,
removed,numeric,number of deleted files,
res,numeric decimal,result of the audited operation(success/fail),
resrc,alphanumeric,resource being assigned,
result,alphanumeric,result of the audited operation(success/fail),
role,alphanumeric,user's SELinux role,
rport,numeric decimal,remote port number,
saddr,encoded,struct socket address structure,
sauid,numeric decimal,sent login user ID,
scontext,alphanumeric,the subject's context string,
selected-context,alphanumeric,new MAC context assigned to session,
seperm,alphanumeric,SELinux permission being decided on,
seqno,numeric decimal,sequence number,
seperms,alphabet,SELinux permissions being used,
seresult,alphabet,SELinux AVC decision granted/denied,
ses,numeric decimal,login session ID,
seuser,alphanumeric,user's SE Linux user acct,
sgid,numeric decimal,set group ID,
sig,numeric decimal,signal number,
sigev_signo,numeric decimal,signal number,
smac,numeric,local MAC address,
spid,numeric decimal,sent process ID,
sport,numeric decimal,local port number,
state,alphanumeric,audit daemon configuration resulting state,
subj,alphanumeric,lspp subject's context string,
success,alphanumeric,whether the syscall was successful or not,
suid,numeric decimal,sent user ID,
syscall,numeric decimal,syscall number in effect when the event occurred,
table,alphanumeric,netfilter table name,
tclass,alphanumeric,target's object classification,
tcontext,alphanumeric,the target's or object's context string,
terminal,alphanumeric,terminal name the user is running programs on,
tty,alphanumeric,tty udevice the user is running programs on,
type,alphanumeric,the audit record's type,
uid,numeric decimal,user ID,
unit,alphanumeric,systemd unit,
uri,alphanumeric,URI pointing to a printer,
user,alphanumeric,account submitted for authentication,
uuid,alphanumeric,a UUID,
val,alphanumeric,generic value associated with the operation,
val,numeric decimal,new value of SELinux boolean,
ver,numeric,audit daemon's version number,
virt,alphanumeric,kind of virtualization being referenced,
vm,encoded,virtual machine name,
vm-ctx,alphanumeric,the vm's context string,
vm-pid,numeric decimal,vm's process ID,
watch,encoded,file name in a watch record,