NAME,FORMAT,MEANING,EXCEPTION a[0-3],numeric,the arguments to a syscall,syscall a[[:digit:]+]\[.*\],encoded,the arguments to the execve syscall,execve acct,encoded,a user's account name acl,alpha,access mode of resource assigned to vm action,numeric,netfilter packet disposition added,numeric,number of new files detected addr,encoded,the remote address that the user is connecting from apparmor,encoded,apparmor event information arch,numeric,the elf architecture flags argc,numeric,the number of arguments to an execve syscall audit_backlog_limit,numeric,audit system's backlog queue size audit_backlog_wait_time,numeric,audit system's backlog wait time audit_enabled,numeric,audit systems's enable/disable status audit_failure,numeric,audit system's failure mode auid,numeric,login user id banners,alphanumeric,banners used on printed page bool,alphanumeric,name of selinux boolean bus,alphanumeric,name of subsystem bus a vm resource belongs to capability,numeric,posix capabilities cap_fe,numeric,file assigned effective capability map cap_fi,numeric,file inherited capability map cap_fp,numeric,file permitted capability map cap_fver,numeric,file system capabilities version number cap_pe,numeric,process effective capability map cap_pi,numeric,process inherited capability map cap_pp,numeric,process permitted capability map category,alpha,resource category assigned to vm cgroup,encoded,path to cgroup in sysfs changed,numeric,number of changed files cipher,alphanumeric,name of crypto cipher selected class,alpha,resource class assigned to vm cmd,encoded,command being executed code,numeric,seccomp action code comm,encoded,command line program name compat,numeric,is_compat_task result cwd,encoded,the current working directory daddr,alphanumeric,remote IP address data,encoded,TTY text default-context,alphanumeric,default MAC context dev,numeric,in path records,major and minor for device dev,alphanumeric,device name as found in /dev,avc device,encoded,device name dir,encoded,directory name direction,alphanumeric,direction of crypto operation dmac,numeric,remote MAC address dport,numeric,remote port number egid,numeric,effective group id enforcing,numeric,new MAC enforcement status entries,numeric,number of entries in the netfilter table euid,numeric,effective user id exe,encoded,executable name exit,numeric,syscall exit code family,numeric,netfilter protocol fd,numeric,file descriptor number file,encoded,file name flags,numeric,mmap syscall flags fe,numeric,file assigned effective capability map feature,alphanumeric,kernel feature being changed fi,numeric,file assigned inherited capability map fp,numeric,file assigned permitted capability map fp,alphanumeric,crypto key finger print,crypto_key format,alphanumeric,audit log's format fsgid,numeric,file system group id fsuid,numeric,file system user id fver,numeric,file system capabilities version number gid,numeric,group id grantors,alphanumeric,pam modules approving the action grp,encoded,group name hook,numeric,netfilter hook that packet came from hostname,alphanumeric,the hostname that the user is connecting from icmp_type,numeric,type of icmp message id,numeric,during account changes,the user id of the account igid,numeric,ipc object's group id img-ctx,alphanumeric,the vm's disk image context string inif,numeric,in interface number ip,alphanumeric,network address of a printer ipid,numeric,IP datagram fragment identifier ino,numeric,inode number inode,numeric,inode number inode_gid,numeric,group id of the inode's owner inode_uid,numeric,user id of the inode's owner invalid_context,encoded,selinux context item,numeric,which item is being recorded items,numeric,the number of path records in the event iuid,numeric,ipc object's user id kernel,alphanumeric,kernel's version number key,encoded,key assigned from triggered audit rule kind,alphabet,server or client in crypto operation ksize,numeric,key size for crypto operation laddr,alphanumeric,local network address used in crypto session len,numeric,length lport,alphanumeric,local network port used in crypto session list,numeric,the audit system's filter list number mac,alphanumeric,crypto MAC algorithm selected macproto,numeric,ethernet packet type ID field maj,numeric,device major number major,numeric,device major number minor,numeric,device minor number mode,numeric,mode flags on a file model,alphanumeric,security model being used for virt msg,alphanumeric,the payload of the audit record nargs,numeric,the number of arguments to a socket call name,encoded,file name in avcs nametype,alphabet,kind of file operation being referenced net,alphanumeric,network MAC address new,numeric,value being set in feature new-chardev,encoded,new character device being assigned to vm new-disk,encoded,disk being added to vm new-enabled,numeric,new TTY audit enabled setting new-fs,encoded,file system being added to vm new_gid,numeric,new group id being assigned new-level,alphanumeric,new run level new_lock,numeric,new value of feature lock new-log_passwd,numeric,new value for TTY password logging new-mem,numeric,new amount of memory in KB new-net,encoded,MAC address being assigned to vm new_pe,numeric,new process effective capability map new_pi,numeric,new process inherited capability map new_pp,numeric,new process permitted capability map new-range,alphanumeric,new selinux range new-rng,encoded,device name of rng being added from a vm new-role,alphanumeric,new selinux role new-seuser,alphanumeric,new selinux user new-vcpu,numeric,new number of CPU cores nlnk-grp,numeric,netlink group number oauid,numeric,object's login user id obj,alphanumeric,lspp object context string obj_gid,numeric,group id of object obj_uid,numeric,user id of object oflag,numeric,open syscall flags ogid,numeric,file owner group id ocomm,encoded,object's command line name old,numeric,present value of kernel feature old,numeric,old audit_enabled,audit_backlog,or audit_failure value old-auid,numeric,previous auid value old-chardev,encoded,present character device assigned to vm old-disk,encoded,disk being removed from vm old-enabled,numeric,present TTY audit enabled setting old_enforcing,numeric,old MAC enforcement status old-fs,encoded,file system being removed from vm old-level,alphanumeric,old run level old_lock,numeric,present value of feature lock old-log_passwd,numeric,present value for TTY password logging old-mem,numeric,present amount of memory in KB old-net,encoded,present MAC address assigned to vm old_pe,numeric,old process effective capability map old_pi,numeric,old process inherited capability map old_pp,numeric,old process permitted capability map old_prom,numeric,network promiscuity flag old-range,alphanumeric,present selinux range old-rng,encoded,device name of rng being removed from a vm old-role,alphanumeric,present selinux role old-ses,numeric,previous ses value old-seuser,alphanumeric,present selinux user old_val,numeric,current value of selinux boolean old-vcpu,numeric,present number of CPU cores op,alphanumeric,the operation being performed that is audited opid,numeric,object's process id oses,numeric,object's session id ouid,numeric,file owner user id outif,numeric,out interface number parent,numeric,the inode number of the parent file path,encoded,file system path name per,numeric,linux personality perm,numeric,the file permission being used perm_mask,numeric,file permission mask that triggered a watch event permissive,numeric,selinux is in permissive mode pfs,alphanumeric,perfect forward secrecy method pid,numeric,process id ppid,numeric,parent process id printer,alphanumeric,printer name prom,numeric,network promiscuity flag proctitle,encoded,process title and command line parameters proto,numeric,network protocol qbytes,numeric,ipc objects quantity of bytes range,alphanumeric,user's SE Linux range rdev,numeric,the device identifier (special files only) reason,alphanumeric,text string denoting a reason for the action removed,numeric,number of deleted files res,alphanumeric,result of the audited operation(success/fail) resrc,alphanumeric,resource being assigned result,alphanumeric,result of the audited operation(success/fail) role,alphanumeric,user's SE linux role rport,numeric,remote port number saddr,encoded,struct socket address structure sauid,numeric,sent login user id scontext,alphanumeric,the subject's context string selected-context,alphanumeric,new MAC context assigned to session seperm,alphanumeric,Selinux permission being decided on seqno,numeric,sequence number seperms,alpha,selinux permissions being used seresult,alpha,Selinux AVC decision granted/denied ses,numeric,login session id seuser,alphanumeric,user's SE Linux user acct sgid,numeric,set group id sig,numeric,signal number sigev_signo,numeric,signal number smac,numeric,local MAC address spid,numeric,sent process id sport,numeric,local port number state,alphanumeric,audit daemon configuration resulting state subj,alphanumeric,lspp subject's context string success,alphanumeric,whether the syscall was successful or not suid,numeric,sent user id syscall,numeric,syscall number in effect when the event occurred table,alphanumeric,netfilter table name tclass,alphanumeric,target's object classification tcontext,alphanumeric,the target's or object's context string terminal,alphanumeric,terminal name the user is running programs on tty,alphanumeric,tty udevice the user is running programs on type,alphanumeric,the audit record's type uid,numeric,user id unit,alphanumeric,systemd unit uri,alphanumeric,URI pointing to a printer user,alphanumeric,account submitted for authentication uuid,alphanumeric,a UUID val,alphanumeric,generic value associated with the operation ver,numeric,audit daemon's version number virt,alphanumeric,kind of virtualization being referenced vm,encoded,virtual machine name vm-ctx,alphanumeric,the vm's context string vm-pid,numeric,vm's process id watch,encoded,file name in a watch record