Linux Auditd
Linux audit framework (auditd) — syscall tracing (execve, openat, connect), PAM authentication, credential changes, user login/logout, sudo privilege escalation, and systemd service management.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/linux-auditd/generator.yml \
--id auditd \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| SYSCALL-execve | Process execution (execve) | ~29% | process |
| SYSCALL-openat | File access (openat) | ~23% | file |
| SYSCALL-connect | Network connection (connect) | ~12% | network |
| USER_AUTH | PAM authentication | ~9% | authentication |
| CRED_ACQ | Credential acquisition | ~8% | authentication |
| CRED_DISP | Credential disposal | ~8% | authentication |
| USER_LOGIN | User login | ~5% | authentication |
| USER_CMD | Sudo command execution | ~3% | process |
| SERVICE_START | Systemd service start | ~2% | process |
| SERVICE_STOP | Systemd service stop | ~2% | process |
Realism Features
- Correlated authentication flow — USER_AUTH → CRED_ACQ → USER_LOGIN → CRED_DISP using shared session pools
- Correlated services — SERVICE_START creates entries consumed by SERVICE_STOP
- 50-host fleet — web servers, app servers, databases with per-host OS metadata (Debian, Ubuntu, Rocky Linux)
- 30 common Linux processes with correct parent-child relationships and arguments
- Multiple auth methods — sshd (40%), sudo (30%), cron (15%), su (10%), login (5%)
- Failure simulation — auth failures (15%), login failures (20%), execve non-zero exits (10%)
Sample Output
{
"@timestamp": "2026-02-21T12:00:01.234567+00:00",
"event": {
"action": "executed",
"category": ["process"],
"module": "auditd",
"outcome": "success"
},
"process": {
"args": ["cat", "/etc/hostname"],
"executable": "/usr/bin/cat",
"name": "cat",
"parent": { "executable": "/usr/bin/bash", "name": "bash" }
},
"user": {
"audit": { "name": "jsmith" },
"name": "root"
},
"auditd": { "message_type": "syscall", "result": "success" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| fqdn_suffix | example.com | Domain suffix appended to hostname |
| agent_version | 8.17.0 | Auditbeat version string |
Related Generators
Windows Security Event Log
The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.
Windows PowerShell
PowerShell classic and operational channels — engine lifecycle, script block logging, module invocations, pipeline execution, and provider starts. Includes obfuscated command detection and suspicious script patterns.
Windows Sysmon
Sysmon (System Monitor) operational channel — process creation with full command lines, network connections, file creates, registry modifications, DNS queries, and WMI events. SwiftOnSecurity-style tuning.