Linux

The linux log type records Linux syslog events.

The following code snippet contains all the raw_field and ecs mappings for this log type:

  1.   "mappings": [
  2.     {
  3.       "raw_field":"name",
  4.       "ecs":"user.filesystem.name"
  5.     },
  6.     {
  7.       "raw_field":"a0",
  8.       "ecs":"auditd.log.a0"
  9.     },
  10.     {
  11.       "raw_field":"comm",
  12.       "ecs":"auditd.log.comm"
  13.     },
  14.     {
  15.       "raw_field":"exe",
  16.       "ecs":"auditd.log.exe"
  17.     },
  18.     {
  19.       "raw_field":"uid",
  20.       "ecs":"auditd.log.uid"
  21.     },
  22.     {
  23.       "raw_field":"USER",
  24.       "ecs":"system.auth.user"
  25.     },
  26.     {
  27.       "raw_field":"User",
  28.       "ecs":"system.auth.user"
  29.     },
  30.     {
  31.       "raw_field":"Image",
  32.       "ecs":"process.exe"
  33.     },
  34.     {
  35.       "raw_field":"DestinationHostname",
  36.       "ecs":"rsa.web.remote_domain"
  37.     },
  38.     {
  39.       "raw_field":"CommandLine",
  40.       "ecs":"process.command_line"
  41.     },
  42.     {
  43.       "raw_field":"ParentImage",
  44.       "ecs":"process.parent.executable"
  45.     },
  46.     {
  47.       "raw_field":"CurrentDirectory",
  48.       "ecs":"process.working_directory"
  49.     },
  50.     {
  51.       "raw_field":"LogonId",
  52.       "ecs":"process.real_user.id"
  53.     },
  54.     {
  55.       "raw_field":"creationTime",
  56.       "ecs":"timestamp"
  57.     }
  58.   ]