socket_events

Track network socket opens and closes.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: socket_events

  • Linux

Table schema

Name

Type

Description

action

TEXT

The socket action (bind, listen, close)

pid

BIGINT

Process (or thread) ID

path

TEXT

Path of executed file

fd

TEXT

The file description for the process socket

auid

BIGINT

Audit User ID

success

INTEGER

The socket open attempt status

family

INTEGER

The Internet protocol family ID

protocol

INTEGER

The network protocol ID

local_address

TEXT

Local address associated with socket

remote_address

TEXT

Remote address associated with socket

local_port

INTEGER

Local network protocol port number

remote_port

INTEGER

Remote network protocol port number

socket

TEXT

The local path (UNIX domain socket only)

time

BIGINT

Time of execution in UNIX time

uptime

BIGINT

Time of execution in system uptime

eid

TEXT

Event ID

Query examples

Select all the results for the given table.

SELECT * FROM socket_events;