^type=CONFIG_CHANGE auditd-config_change msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): audit.id auditd-config_change auid=(\S+) ses=(\S+) subj=(\S+) op=(\S+) audit.auid,audit.session,audit.subj,audit.op auditd-config_change key=\((\S+)\)|key="(\S+)"|key=(\S+) audit.key auditd-config_change list=(\S+) audit.list auditd-config_change res=(\S+) audit.res ^type=EXECVE auditd-execve msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): audit.id auditd-execve argc=\d+ a0="(\.*)" audit.execve.a0 auditd-execve a1="(\.*)" audit.execve.a1 auditd-execve a2="(\.*)" audit.execve.a2 auditd-execve a3="(\.*)" audit.execve.a3 auditd-execve a4="(\.*)" audit.execve.a4 auditd-execve a5="(\.*)" audit.execve.a5 auditd-execve a6="(\.*)" audit.execve.a6 auditd-execve a7="(\.*)" audit.execve.a7 ^type=PATH auditd-path msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\S+ name="(\.*)" inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+ rdev=\S+ nametype=(\S+) audit.id,audit.directory.name, audit.directory.inode, audit.directory.mode,audit.directory.nametype auditd-path type=PATH msg=audit\(\S+\): item=\S+ name="(\.*)" inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+ |type=PATH msg=audit\(\S+\): item=\S+ name=\((null)\) inode=(\S+) dev=\S+ mode=(\S+) ouid=\S+ ogid=\S+ audit.file.name, audit.file.inode, audit.file.mode ^type=SYSCALL auditd-syscall msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): audit.id auditd-syscall ^arch=(\S+) syscall=(\d+) success=(\S+) exit=(\S+) a0=\S+ a1=\S+ a2=\S+ a3=\S+ items=\S+ ppid=(\S+) pid=(\S+) auid=(\S+) uid=(\S+) gid=(\S+) euid=(\S+) suid=(\S+) fsuid=(\S+) egid=(\S+) sgid=(\S+) fsgid=(\S+) tty=(\S+) ses=(\S+) comm=\p(\S+)\p exe=\p(\S+)\p audit.arch,audit.syscall,audit.success,audit.exit,audit.ppid,audit.pid,audit.auid,audit.uid,audit.gid,audit.euid,audit.suid,audit.fsuid,audit.egid,audit.sgid,audit.fsgid,audit.tty,audit.session,audit.command,audit.exe auditd-syscall comm=\p*(\w+)\p* audit.command auditd-syscall exe=\p(\S+)\p audit.exe auditd-syscall key=\((\S+)\)|key="(\S+)"|key=(\S+) audit.key ^type= auditd-user_and_cred ^USER_ACCT |^CRED_ACQ |^USER_START |^CRED_REFR|^CRYPTO_KEY_USER|^CRYPTO_SESSION |^USER_AUTH |^USER_ROLE_CHANGE|^SERVICE_STOP ^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): audit.type,audit.id auditd-user_and_cred ^pid=(\S+) uid=(\S+) auid=(\S+) ses=(\S+) audit.pid,audit.uid,audit.auid,audit.session auditd-user_and_cred subj=(\S+) audit.subj auditd-user_and_cred acct="(\S+)" audit.acct auditd-user_and_cred unit=(\S+) audit.unit auditd-user_and_cred exe="(\S+)" audit.exe auditd-user_and_cred addr=(\S+) srcip