Auditbeat event types

Auditbeat subscribes to all events from the kernel's audit framework. Even if you configure no audit rules there are still events that get generated by other processes that publish audit events (like PAM, su, sudo).

You can add a processor to your configuration if you want to drop events. For example if you only wanted to receive events related to audit rules that you configured you could filter use

auditbeat.modules:
- module: auditd
  processors:
  - drop_event.when.not.equals.event.category: "audit-rule"
  audit_rules: |
    # my audit rules

Linux has a list of audit event types. These map to event.type in Auditbeat. The value is lowercased and the leading AUDIT_ is removed.

The event.category field comes from Auditbeat. It sets the category based on the event.type value. You can see the list of categories in the code at https://github.com/elastic/go-libaudit/blob/bc29b128d4099fb834634afb535241f1608fb2f0/aucoalesce/event_type.go#L45-L63.