Hi all,
I'm trying to use Auditbeat's system module to get currently installed packages on monitored hosts. While being very useful, I noticed it does not send any information about the package vendor.
Here what I obtain using rpm CLI:
rpm -qi elasticsearch
Name : elasticsearch
Epoch : 0
Version : 8.5.0
Release : 1
Architecture: x86_64
Install Date: Mon 28 Nov 2022 09:14:24 AM CET
Group : Application/Internet
Size : 1193406199
License : Elastic License
Signature : RSA/SHA512, Mon 24 Oct 2022 09:33:40 PM CEST, Key ID d27d666cd88e42b4
Source RPM : elasticsearch-8.5.0-1-src.rpm
Build Date : Mon 24 Oct 2022 07:02:41 PM CEST
Build Host : packer-virtualbox-iso-1646848364
Relocations : /usr
Packager : Elasticsearch
Vendor : Elasticsearch
URL : https://www.elastic.co/
Summary : Distributed RESTful search engine built for the cloud
Description :
Here's the document ingested in Elasticsearch:
"system": {
"audit": {
"package": {
"license": "Elastic License",
"name": "elasticsearch",
"url": "https://www.elastic.co/",
"entity_id": "XdmzuehYdFvo7ipG",
"version": "8.5.0",
"size": 1193406199,
"summary": "Distributed RESTful search engine built for the cloud",
"release": "1",
"arch": "x86_64",
"installtime": "2022-11-28T08:14:24.000Z"
}
}
}
Would it be possibile to add this new field in a future version of this beat or do you have any suggestions about retrieving it?
Auditbeat version: 8.5.2
Elasticsearch version: 8.5.0
Thank you!