socket_events

Track network socket opens and closes.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: socket_events

  • Linux

Table schema

Name Type Description
action TEXT The socket action (bind, listen, close)
pid BIGINT Process (or thread) ID
path TEXT Path of executed file
fd TEXT The file description for the process socket
auid BIGINT Audit User ID
success INTEGER The socket open attempt status
family INTEGER The Internet protocol family ID
protocol INTEGER The network protocol ID
local_address TEXT Local address associated with socket
remote_address TEXT Remote address associated with socket
local_port INTEGER Local network protocol port number
remote_port INTEGER Remote network protocol port number
socket TEXT The local path (UNIX domain socket only)
time BIGINT Time of execution in UNIX time
uptime BIGINT Time of execution in system uptime
eid TEXT Event ID

Query examples

Select all the results for the given table.

SELECT * FROM socket_events;