Skip to content

Instantly share code, notes, and snippets.

@ceeeekay
Created March 22, 2018 23:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ceeeekay/688fbb11f24e9c2d9b4260ad4dfdd7a7 to your computer and use it in GitHub Desktop.
Save ceeeekay/688fbb11f24e9c2d9b4260ad4dfdd7a7 to your computer and use it in GitHub Desktop.
{
"_index": "auditbeat-sysadmins-2018.03.22",
"_type": "doc",
"_id": "_CbgT2IB054YNI_3MsBK",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2018-03-22T22:40:53.536Z",
"file": {
"group": "officeadm",
"gid": "7003",
"owner": "user_redacted",
"uid": "10067",
"path": "2F73686172652F67656E6572616C2F706174685F7265646163746564",
"mode": "0775",
"inode": "1442434",
"device": "00:00"
},
"user": {
"egid": "55610",
"suid": "0",
"fsuid": "55610",
"gid": "0",
"name_map": {
"egid": "user_redacted",
"suid": "root",
"fsuid": "user_redacted",
"gid": "root",
"sgid": "root",
"fsgid": "user_redacted",
"euid": "user_redacted",
"uid": "user_redacted"
},
"sgid": "0",
"fsgid": "55610",
"euid": "55610",
"uid": "55610",
"auid": "unset"
},
"type": "auditbeat",
"event": {
"module": "auditd",
"type": "syscall",
"category": "audit-rule",
"action": "checked-metadata-of"
},
"process": {
"pid": "17512",
"cwd": "/share/general",
"ppid": "7531",
"name": "smbd",
"exe": "/usr/sbin/smbd"
},
"host": "fileshare",
"beat": {
"version": "6.2.0",
"hostname": "fileshare",
"name": "fileshare"
},
"client_id": "sysadmins",
"broker": [
"kafka-filter",
"kafka-index"
],
"tags": [
"beats_input_raw_event"
],
"timezone": "Pacific/Auckland",
"auditd": {
"sequence": 1428931,
"session": "unset",
"data": {
"a2": "7ffe731f74f0",
"syscall": "getxattr",
"a0": "7f56502bb320",
"arch": "x86_64",
"exit": "ENODATA",
"a3": "84",
"tty": "(none)",
"a1": "7f5645ef5a50"
},
"summary": {
"how": "/usr/sbin/smbd",
"actor": {
"secondary": "user_redacted",
"primary": "unset"
},
"object": {
"type": "file",
"primary": "2F73686172652F67656E6572616C2F706174685F7265646163746564"
}
},
"result": "fail",
"paths": [
{
"rdev": "00:00",
"dev": "fc:01",
"ogid": "7003",
"item": "0",
"mode": "042775",
"name": "2F73686172652F67656E6572616C2F706174685F7265646163746564",
"inode": "1442434",
"ouid": "10067",
"nametype": "NORMAL"
}
],
"messages": [
"type=SYSCALL msg=audit(1521758453.536:1428931): arch=c000003e syscall=191 success=no exit=-61 a0=7f56502bb320 a1=7f5645ef5a50 a2=7ffe731f74f0 a3=84 items=1 ppid=7531 pid=17512 auid=4294967295 uid=55610 gid=0 euid=55610 suid=0 fsuid=55610 egid=55610 sgid=0 fsgid=55610 tty=(none) ses=4294967295 comm=\"smbd\" exe=\"/usr/sbin/smbd\" key=(null)",
"type=CWD msg=audit(1521758453.536:1428931): cwd=\"/share/general\"",
"type=PATH msg=audit(1521758453.536:1428931): item=0 name=2F73686172652F67656E6572616C2F706174685F7265646163746564 inode=1442434 dev=fc:01 mode=042775 ouid=10067 ogid=7003 rdev=00:00 nametype=NORMAL"
]
},
"kelp_ingress_time": "2018-03-22T22:40:53.536Z",
"@version": "1"
},
"fields": {
"@timestamp": [
"2018-03-22T22:40:53.536Z"
]
},
"sort": [
1521758453536
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment