Question: Can I add the IP that issued a command to that command?


Context: auditbeat on RHEL, auditd module
Ideally, I would like to remove a ton of fields that are of no use to a human being (not related to this topic), and add a field that would show me the IP that issued a given command.


  1. user issues ""
  2. Audit log will show (desired result): [host-command-issued-on][user-IP][command-with-args]
    (this is a pseudo audit record, just to show the desired IP part of the result)

Unfortunately, though I saw there was an option to add custom fields, I cannot find anything on them being based on custom code, and if I just add "source.ip", it doesn't catch anything (I assume because that field does not exist for these entries).

Is there a way of doing this?
If there's a built-in way of doing it that would be ideal, but if the way is something that lets me add a field based on custom code that will also work, as I do have some sh code that can link an IP to a PID... Provided it can be fed said PID.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.