Add dynamic template definition for the arguments to a syscall

elastic · Feb 21, 2025 · 1aa7413 · 1aa7413
1 parent ea8565e
commit 1aa7413
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/packages/auditd_manager/data_stream/auditd/fields/fields.yml b/packages/auditd_manager/data_stream/auditd/fields/fields.yml
@@ -739,6 +739,9 @@
   type: keyword
 - name: auditd.data.result
   type: keyword
+- name: auditd.data.a*
+  description: the arguments to a syscall
+  type: keyword
 - name: auditd.data.*
   description: Auditd related data
   type: keyword
diff --git a/packages/auditd_manager/docs/README.md b/packages/auditd_manager/docs/README.md
@@ -313,6 +313,7 @@ An example event for `auditd` looks as following:
 |---|---|---|
 | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
 | auditd.data.\* | Auditd related data | keyword |
+| auditd.data.a\* | the arguments to a syscall | keyword |
 | auditd.data.acct | a user's account name | keyword |
 | auditd.data.acl | access mode of resource assigned to vm | keyword |
 | auditd.data.action | netfilter packet disposition | keyword |