es4forensics 0.5.1

Import several timelines into elasticsearch
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

{"@timestamp":0,"ecs":{"version":"1.0.0"},"file":{"accessed":0,"created":0,"ctime":0,"gid":0,"inode":"62447617","macb_long":["modified","accessed","changed","created"],"macb_short":"macb","mtime":0,"path":"/$OrphanFiles","size":0,"uid":0},"message":"/$OrphanFiles","tags":["bodyfile"]}
{"@timestamp":1650277739000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661774614000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"36306945","macb_long":["modified"],"macb_short":"m...","mtime":1650277739000,"path":"/sys","size":4096,"uid":0},"message":"/sys","tags":["bodyfile"]}
{"@timestamp":1650277739000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661774614000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"42729473","macb_long":["modified"],"macb_short":"m...","mtime":1650277739000,"path":"/proc","size":4096,"uid":0},"message":"/proc","tags":["bodyfile"]}
{"@timestamp":1650502670000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001090000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"14","macb_long":["modified"],"macb_short":"m...","mtime":1650502670000,"path":"/lib32 -> usr/lib32","size":9,"uid":0},"message":"/lib32 -> usr/lib32","tags":["bodyfile"]}
{"@timestamp":1650502670000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001090000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"16","macb_long":["modified"],"macb_short":"m...","mtime":1650502670000,"path":"/libx32 -> usr/libx32","size":10,"uid":0},"message":"/libx32 -> usr/libx32","tags":["bodyfile"]}
{"@timestamp":1650502670000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"12","macb_long":["modified"],"macb_short":"m...","mtime":1650502670000,"path":"/bin -> usr/bin","size":7,"uid":0},"message":"/bin -> usr/bin","tags":["bodyfile"]}
{"@timestamp":1650502670000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"13","macb_long":["modified"],"macb_short":"m...","mtime":1650502670000,"path":"/lib -> usr/lib","size":7,"uid":0},"message":"/lib -> usr/lib","tags":["bodyfile"]}
{"@timestamp":1650502670000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"15","macb_long":["modified"],"macb_short":"m...","mtime":1650502670000,"path":"/lib64 -> usr/lib64","size":9,"uid":0},"message":"/lib64 -> usr/lib64","tags":["bodyfile"]}
{"@timestamp":1650502670000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"17","macb_long":["modified"],"macb_short":"m...","mtime":1650502670000,"path":"/sbin -> usr/sbin","size":8,"uid":0},"message":"/sbin -> usr/sbin","tags":["bodyfile"]}
{"@timestamp":1650502671000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001095000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"38010881","macb_long":["modified"],"macb_short":"m...","mtime":1650502671000,"path":"/srv","size":4096,"uid":0},"message":"/srv","tags":["bodyfile"]}
{"@timestamp":1650502863000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661774614000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"11403265","macb_long":["modified"],"macb_short":"m...","mtime":1650502863000,"path":"/dev","size":4096,"uid":0},"message":"/dev","tags":["bodyfile"]}
{"@timestamp":1650502978000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661774614000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"42991617","macb_long":["modified"],"macb_short":"m...","mtime":1650502978000,"path":"/run","size":4096,"uid":0},"message":"/run","tags":["bodyfile"]}
{"@timestamp":1661772116000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666017593000,"created":1661774614000,"ctime":1661772116000,"gid":0,"inode":"1703937","macb_long":["modified","changed"],"macb_short":"m.c.","mtime":1661772116000,"path":"/home","size":4096,"uid":0},"message":"/home","tags":["bodyfile"]}
{"@timestamp":1661774613000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661774613000,"created":1661774613000,"ctime":1661774613000,"gid":0,"inode":"11","macb_long":["modified","accessed","changed","created"],"macb_short":"macb","mtime":1661774613000,"path":"/lost+found","size":16384,"uid":0},"message":"/lost+found","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661774614000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"11403265","macb_long":["accessed","changed","created"],"macb_short":".acb","mtime":1650502863000,"path":"/dev","size":4096,"uid":0},"message":"/dev","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661774614000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"36306945","macb_long":["accessed","changed","created"],"macb_short":".acb","mtime":1650277739000,"path":"/sys","size":4096,"uid":0},"message":"/sys","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661774614000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"42729473","macb_long":["accessed","changed","created"],"macb_short":".acb","mtime":1650277739000,"path":"/proc","size":4096,"uid":0},"message":"/proc","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661774614000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"42991617","macb_long":["accessed","changed","created"],"macb_short":".acb","mtime":1650502978000,"path":"/run","size":4096,"uid":0},"message":"/run","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661774614000,"created":1661774614000,"ctime":1665391311000,"gid":0,"inode":"35520513","macb_long":["accessed","created"],"macb_short":".a.b","mtime":1665391311000,"path":"/root","size":4096,"uid":0},"message":"/root","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1665990211000,"created":1661774614000,"ctime":1666078218000,"gid":0,"inode":"28573697","macb_long":["created"],"macb_short":"...b","mtime":1666078218000,"path":"/etc","size":12288,"uid":0},"message":"/etc","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1665993755000,"created":1661774614000,"ctime":1664952849000,"gid":0,"inode":"44171265","macb_long":["created"],"macb_short":"...b","mtime":1664952849000,"path":"/opt","size":4096,"uid":0},"message":"/opt","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001090000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"14","macb_long":["changed","created"],"macb_short":"..cb","mtime":1650502670000,"path":"/lib32 -> usr/lib32","size":9,"uid":0},"message":"/lib32 -> usr/lib32","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001090000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"16","macb_long":["changed","created"],"macb_short":"..cb","mtime":1650502670000,"path":"/libx32 -> usr/libx32","size":10,"uid":0},"message":"/libx32 -> usr/libx32","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001095000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"38010881","macb_long":["changed","created"],"macb_short":"..cb","mtime":1650502671000,"path":"/srv","size":4096,"uid":0},"message":"/srv","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001095000,"created":1661774614000,"ctime":1662297551000,"gid":0,"inode":"20054017","macb_long":["created"],"macb_short":"...b","mtime":1662297551000,"path":"/media","size":4096,"uid":0},"message":"/media","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001095000,"created":1661774614000,"ctime":1662994653000,"gid":0,"inode":"42598401","macb_long":["created"],"macb_short":"...b","mtime":1662994653000,"path":"/mnt","size":4096,"uid":0},"message":"/mnt","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001104000,"created":1661774614000,"ctime":1662465949000,"gid":0,"inode":"62259201","macb_long":["created"],"macb_short":"...b","mtime":1662465949000,"path":"/var","size":4096,"uid":0},"message":"/var","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001104000,"created":1661774614000,"ctime":1664189794000,"gid":0,"inode":"60424193","macb_long":["created"],"macb_short":"...b","mtime":1664189794000,"path":"/snap","size":4096,"uid":0},"message":"/snap","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666017593000,"created":1661774614000,"ctime":1661772116000,"gid":0,"inode":"1703937","macb_long":["created"],"macb_short":"...b","mtime":1661772116000,"path":"/home","size":4096,"uid":0},"message":"/home","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666075507000,"created":1661774614000,"ctime":1661775937000,"gid":0,"inode":"655361","macb_long":["created"],"macb_short":"...b","mtime":1661775937000,"path":"/tmp","size":4096,"uid":0},"message":"/tmp","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666075617000,"created":1661774614000,"ctime":1664180505000,"gid":0,"inode":"47841281","macb_long":["created"],"macb_short":"...b","mtime":1664180505000,"path":"/usr","size":4096,"uid":0},"message":"/usr","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666093310000,"created":1661774614000,"ctime":1665561388000,"gid":0,"inode":"17039361","macb_long":["created"],"macb_short":"...b","mtime":1665561388000,"path":"/boot","size":4096,"uid":0},"message":"/boot","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"12","macb_long":["changed","created"],"macb_short":"..cb","mtime":1650502670000,"path":"/bin -> usr/bin","size":7,"uid":0},"message":"/bin -> usr/bin","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"13","macb_long":["changed","created"],"macb_short":"..cb","mtime":1650502670000,"path":"/lib -> usr/lib","size":7,"uid":0},"message":"/lib -> usr/lib","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"15","macb_long":["changed","created"],"macb_short":"..cb","mtime":1650502670000,"path":"/lib64 -> usr/lib64","size":9,"uid":0},"message":"/lib64 -> usr/lib64","tags":["bodyfile"]}
{"@timestamp":1661774614000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"17","macb_long":["changed","created"],"macb_short":"..cb","mtime":1650502670000,"path":"/sbin -> usr/sbin","size":8,"uid":0},"message":"/sbin -> usr/sbin","tags":["bodyfile"]}
{"@timestamp":1661774663000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666075507000,"created":1661774663000,"ctime":1661774663000,"gid":0,"inode":"18","macb_long":["modified","changed","created"],"macb_short":"m.cb","mtime":1661774663000,"path":"/swap.img","size":8589934592,"uid":0},"message":"/swap.img","tags":["bodyfile"]}
{"@timestamp":1661775906000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661851307000,"created":1661775906000,"ctime":1661775906000,"gid":0,"inode":"21","macb_long":["modified","changed","created"],"macb_short":"m.cb","mtime":1661775906000,"path":"/keyfile.upload","size":330,"uid":0},"message":"/keyfile.upload","tags":["bodyfile"]}
{"@timestamp":1661775925000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661851307000,"created":1661775925000,"ctime":1661775925000,"gid":0,"inode":"19","macb_long":["modified","changed","created"],"macb_short":"m.cb","mtime":1661775925000,"path":"/version","size":29,"uid":0},"message":"/version","tags":["bodyfile"]}
{"@timestamp":1661775937000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666075507000,"created":1661774614000,"ctime":1661775937000,"gid":0,"inode":"655361","macb_long":["modified","changed"],"macb_short":"m.c.","mtime":1661775937000,"path":"/tmp","size":4096,"uid":0},"message":"/tmp","tags":["bodyfile"]}
{"@timestamp":1661851307000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661851307000,"created":1661775906000,"ctime":1661775906000,"gid":0,"inode":"21","macb_long":["accessed"],"macb_short":".a..","mtime":1661775906000,"path":"/keyfile.upload","size":330,"uid":0},"message":"/keyfile.upload","tags":["bodyfile"]}
{"@timestamp":1661851307000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661851307000,"created":1661775925000,"ctime":1661775925000,"gid":0,"inode":"19","macb_long":["accessed"],"macb_short":".a..","mtime":1661775925000,"path":"/version","size":29,"uid":0},"message":"/version","tags":["bodyfile"]}
{"@timestamp":1662297551000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001095000,"created":1661774614000,"ctime":1662297551000,"gid":0,"inode":"20054017","macb_long":["modified","changed"],"macb_short":"m.c.","mtime":1662297551000,"path":"/media","size":4096,"uid":0},"message":"/media","tags":["bodyfile"]}
{"@timestamp":1662465949000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001104000,"created":1661774614000,"ctime":1662465949000,"gid":0,"inode":"62259201","macb_long":["modified","changed"],"macb_short":"m.c.","mtime":1662465949000,"path":"/var","size":4096,"uid":0},"message":"/var","tags":["bodyfile"]}
{"@timestamp":1662994653000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001095000,"created":1661774614000,"ctime":1662994653000,"gid":0,"inode":"42598401","macb_long":["modified","changed"],"macb_short":"m.c.","mtime":1662994653000,"path":"/mnt","size":4096,"uid":0},"message":"/mnt","tags":["bodyfile"]}
{"@timestamp":1664180505000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666075617000,"created":1661774614000,"ctime":1664180505000,"gid":0,"inode":"47841281","macb_long":["modified","changed"],"macb_short":"m.c.","mtime":1664180505000,"path":"/usr","size":4096,"uid":0},"message":"/usr","tags":["bodyfile"]}
{"@timestamp":1664189794000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001104000,"created":1661774614000,"ctime":1664189794000,"gid":0,"inode":"60424193","macb_long":["modified","changed"],"macb_short":"m.c.","mtime":1664189794000,"path":"/snap","size":4096,"uid":0},"message":"/snap","tags":["bodyfile"]}
{"@timestamp":1664952849000,"ecs":{"version":"1.0.0"},"file":{"accessed":1665993755000,"created":1661774614000,"ctime":1664952849000,"gid":0,"inode":"44171265","macb_long":["modified","changed"],"macb_short":"m.c.","mtime":1664952849000,"path":"/opt","size":4096,"uid":0},"message":"/opt","tags":["bodyfile"]}
{"@timestamp":1665391311000,"ecs":{"version":"1.0.0"},"file":{"accessed":1661774614000,"created":1661774614000,"ctime":1665391311000,"gid":0,"inode":"35520513","macb_long":["modified","changed"],"macb_short":"m.c.","mtime":1665391311000,"path":"/root","size":4096,"uid":0},"message":"/root","tags":["bodyfile"]}
{"@timestamp":1665561388000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666093310000,"created":1661774614000,"ctime":1665561388000,"gid":0,"inode":"17039361","macb_long":["modified","changed"],"macb_short":"m.c.","mtime":1665561388000,"path":"/boot","size":4096,"uid":0},"message":"/boot","tags":["bodyfile"]}
{"@timestamp":1665990211000,"ecs":{"version":"1.0.0"},"file":{"accessed":1665990211000,"created":1661774614000,"ctime":1666078218000,"gid":0,"inode":"28573697","macb_long":["accessed"],"macb_short":".a..","mtime":1666078218000,"path":"/etc","size":12288,"uid":0},"message":"/etc","tags":["bodyfile"]}
{"@timestamp":1665993755000,"ecs":{"version":"1.0.0"},"file":{"accessed":1665993755000,"created":1661774614000,"ctime":1664952849000,"gid":0,"inode":"44171265","macb_long":["accessed"],"macb_short":".a..","mtime":1664952849000,"path":"/opt","size":4096,"uid":0},"message":"/opt","tags":["bodyfile"]}
{"@timestamp":1666001090000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001090000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"14","macb_long":["accessed"],"macb_short":".a..","mtime":1650502670000,"path":"/lib32 -> usr/lib32","size":9,"uid":0},"message":"/lib32 -> usr/lib32","tags":["bodyfile"]}
{"@timestamp":1666001090000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001090000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"16","macb_long":["accessed"],"macb_short":".a..","mtime":1650502670000,"path":"/libx32 -> usr/libx32","size":10,"uid":0},"message":"/libx32 -> usr/libx32","tags":["bodyfile"]}
{"@timestamp":1666001095000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001095000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"38010881","macb_long":["accessed"],"macb_short":".a..","mtime":1650502671000,"path":"/srv","size":4096,"uid":0},"message":"/srv","tags":["bodyfile"]}
{"@timestamp":1666001095000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001095000,"created":1661774614000,"ctime":1662297551000,"gid":0,"inode":"20054017","macb_long":["accessed"],"macb_short":".a..","mtime":1662297551000,"path":"/media","size":4096,"uid":0},"message":"/media","tags":["bodyfile"]}
{"@timestamp":1666001095000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001095000,"created":1661774614000,"ctime":1662994653000,"gid":0,"inode":"42598401","macb_long":["accessed"],"macb_short":".a..","mtime":1662994653000,"path":"/mnt","size":4096,"uid":0},"message":"/mnt","tags":["bodyfile"]}
{"@timestamp":1666001104000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001104000,"created":1661774614000,"ctime":1662465949000,"gid":0,"inode":"62259201","macb_long":["accessed"],"macb_short":".a..","mtime":1662465949000,"path":"/var","size":4096,"uid":0},"message":"/var","tags":["bodyfile"]}
{"@timestamp":1666001104000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666001104000,"created":1661774614000,"ctime":1664189794000,"gid":0,"inode":"60424193","macb_long":["accessed"],"macb_short":".a..","mtime":1664189794000,"path":"/snap","size":4096,"uid":0},"message":"/snap","tags":["bodyfile"]}
{"@timestamp":1666017593000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666017593000,"created":1661774614000,"ctime":1661772116000,"gid":0,"inode":"1703937","macb_long":["accessed"],"macb_short":".a..","mtime":1661772116000,"path":"/home","size":4096,"uid":0},"message":"/home","tags":["bodyfile"]}
{"@timestamp":1666075507000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666075507000,"created":1661774614000,"ctime":1661775937000,"gid":0,"inode":"655361","macb_long":["accessed"],"macb_short":".a..","mtime":1661775937000,"path":"/tmp","size":4096,"uid":0},"message":"/tmp","tags":["bodyfile"]}
{"@timestamp":1666075507000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666075507000,"created":1661774663000,"ctime":1661774663000,"gid":0,"inode":"18","macb_long":["accessed"],"macb_short":".a..","mtime":1661774663000,"path":"/swap.img","size":8589934592,"uid":0},"message":"/swap.img","tags":["bodyfile"]}
{"@timestamp":1666075617000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666075617000,"created":1661774614000,"ctime":1664180505000,"gid":0,"inode":"47841281","macb_long":["accessed"],"macb_short":".a..","mtime":1664180505000,"path":"/usr","size":4096,"uid":0},"message":"/usr","tags":["bodyfile"]}
{"@timestamp":1666078218000,"ecs":{"version":"1.0.0"},"file":{"accessed":1665990211000,"created":1661774614000,"ctime":1666078218000,"gid":0,"inode":"28573697","macb_long":["modified","changed"],"macb_short":"m.c.","mtime":1666078218000,"path":"/etc","size":12288,"uid":0},"message":"/etc","tags":["bodyfile"]}
{"@timestamp":1666093310000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666093310000,"created":1661774614000,"ctime":1665561388000,"gid":0,"inode":"17039361","macb_long":["accessed"],"macb_short":".a..","mtime":1665561388000,"path":"/boot","size":4096,"uid":0},"message":"/boot","tags":["bodyfile"]}
{"@timestamp":1666096013000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"12","macb_long":["accessed"],"macb_short":".a..","mtime":1650502670000,"path":"/bin -> usr/bin","size":7,"uid":0},"message":"/bin -> usr/bin","tags":["bodyfile"]}
{"@timestamp":1666096013000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"13","macb_long":["accessed"],"macb_short":".a..","mtime":1650502670000,"path":"/lib -> usr/lib","size":7,"uid":0},"message":"/lib -> usr/lib","tags":["bodyfile"]}
{"@timestamp":1666096013000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"15","macb_long":["accessed"],"macb_short":".a..","mtime":1650502670000,"path":"/lib64 -> usr/lib64","size":9,"uid":0},"message":"/lib64 -> usr/lib64","tags":["bodyfile"]}
{"@timestamp":1666096013000,"ecs":{"version":"1.0.0"},"file":{"accessed":1666096013000,"created":1661774614000,"ctime":1661774614000,"gid":0,"inode":"17","macb_long":["accessed"],"macb_short":".a..","mtime":1650502670000,"path":"/sbin -> usr/sbin","size":8,"uid":0},"message":"/sbin -> usr/sbin","tags":["bodyfile"]}