I am testing Auditbeat with auditd module. I have noticed that even if I don't have any auditd rule listed in my config, I can still see some events generated by this module.
I did some research here on the forum and other communities, and I found some info that PAM events are logged by default (which seems to be the case). Is there any documentation where I can find what exactly is logged by default?
Commands auditbeat show auditd-rules or auditctl -l show "no rules", but this is not right