^type=CONFIG_CHANGE
auditd-config_change
msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):
audit.id
auditd-config_change
auid=(\S+) ses=(\S+) subj=(\S+) op=(\S+)
audit.auid,audit.session,audit.subj,audit.op
auditd-config_change
key=\((\S+)\)|key="(\S+)"|key=(\S+)
audit.key
auditd-config_change
list=(\S+)
audit.list
auditd-config_change
res=(\S+)
audit.res
^type=EXECVE
auditd-execve
msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):
audit.id
auditd-execve
argc=\d+ a0="(\.*)"
audit.execve.a0
auditd-execve
a1="(\.*)"
audit.execve.a1
auditd-execve
a2="(\.*)"
audit.execve.a2
auditd-execve
a3="(\.*)"
audit.execve.a3
auditd-execve
a4="(\.*)"
audit.execve.a4
auditd-execve
a5="(\.*)"
audit.execve.a5
auditd-execve
a6="(\.*)"
audit.execve.a6
auditd-execve
a7="(\.*)"
audit.execve.a7
^type=PATH
auditd-path
msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\S+ name="(\.*)" inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+ rdev=\S+ nametype=(\S+)
audit.id,audit.directory.name, audit.directory.inode, audit.directory.mode,audit.directory.nametype
auditd-path
type=PATH msg=audit\(\S+\): item=\S+ name="(\.*)" inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+ |type=PATH msg=audit\(\S+\): item=\S+ name=\((null)\) inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+
audit.file.name, audit.file.inode, audit.file.mode
^type=SYSCALL
auditd-syscall
msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):
audit.id
auditd-syscall
^arch=(\S+) syscall=(\d+) success=(\S+) exit=(\S+) a0=\S+ a1=\S+ a2=\S+ a3=\S+ items=\S+ ppid=(\S+) pid=(\S+) auid=(\S+) uid=(\S+) gid=(\S+) euid=(\S+) suid=(\S+) fsuid=(\S+) egid=(\S+) sgid=(\S+) fsgid=(\S+) tty=(\S+) ses=(\S+) comm=\p(\S+)\p exe=\p(\S+)\p
audit.arch,audit.syscall,audit.success,audit.exit,audit.ppid,audit.pid,audit.auid,audit.uid,audit.gid,audit.euid,audit.suid,audit.fsuid,audit.egid,audit.sgid,audit.fsgid,audit.tty,audit.session,audit.command,audit.exe
auditd-syscall
comm=\p*(\w+)\p*
audit.command
auditd-syscall
exe=\p(\S+)\p
audit.exe
auditd-syscall
key=\((\S+)\)|key="(\S+)"|key=(\S+)
audit.key
^type=
auditd-user_and_cred
^USER_ACCT |^CRED_ACQ |^USER_START |^CRED_REFR|^CRYPTO_KEY_USER|^CRYPTO_SESSION |^USER_AUTH |^USER_ROLE_CHANGE|^SERVICE_STOP
^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\):
audit.type,audit.id
auditd-user_and_cred
^pid=(\S+) uid=(\S+) auid=(\S+) ses=(\S+)
audit.pid,audit.uid,audit.auid,audit.session
auditd-user_and_cred
subj=(\S+)
audit.subj
auditd-user_and_cred
acct="(\S+)"
audit.acct
auditd-user_and_cred
unit=(\S+)
audit.unit
auditd-user_and_cred
exe="(\S+)"
audit.exe
auditd-user_and_cred
addr=(\S+)
srcip