socket_events¶
Track network socket opens and closes.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: socket_events
Linux
Table schema¶
Name |
Type |
Description |
|---|---|---|
action |
TEXT |
The socket action (bind, listen, close) |
pid |
BIGINT |
Process (or thread) ID |
path |
TEXT |
Path of executed file |
fd |
TEXT |
The file description for the process socket |
auid |
BIGINT |
Audit User ID |
success |
INTEGER |
The socket open attempt status |
family |
INTEGER |
The Internet protocol family ID |
protocol |
INTEGER |
The network protocol ID |
local_address |
TEXT |
Local address associated with socket |
remote_address |
TEXT |
Remote address associated with socket |
local_port |
INTEGER |
Local network protocol port number |
remote_port |
INTEGER |
Remote network protocol port number |
socket |
TEXT |
The local path (UNIX domain socket only) |
time |
BIGINT |
Time of execution in UNIX time |
uptime |
BIGINT |
Time of execution in system uptime |
eid |
TEXT |
Event ID |