Auditbeat get package vendor

Hi all,

I'm trying to use Auditbeat's system module to get currently installed packages on monitored hosts. While being very useful, I noticed it does not send any information about the package vendor.
Here what I obtain using rpm CLI:

rpm -qi elasticsearch

Name        : elasticsearch
Epoch       : 0
Version     : 8.5.0
Release     : 1
Architecture: x86_64
Install Date: Mon 28 Nov 2022 09:14:24 AM CET
Group       : Application/Internet
Size        : 1193406199
License     : Elastic License
Signature   : RSA/SHA512, Mon 24 Oct 2022 09:33:40 PM CEST, Key ID d27d666cd88e42b4
Source RPM  : elasticsearch-8.5.0-1-src.rpm
Build Date  : Mon 24 Oct 2022 07:02:41 PM CEST
Build Host  : packer-virtualbox-iso-1646848364
Relocations : /usr 
Packager    : Elasticsearch
Vendor      : Elasticsearch
URL         :
Summary     : Distributed RESTful search engine built for the cloud
Description :

Here's the document ingested in Elasticsearch:

"system": {
      "audit": {
        "package": {
          "license": "Elastic License",
          "name": "elasticsearch",
          "url": "",
          "entity_id": "XdmzuehYdFvo7ipG",
          "version": "8.5.0",
          "size": 1193406199,
          "summary": "Distributed RESTful search engine built for the cloud",
          "release": "1",
          "arch": "x86_64",
          "installtime": "2022-11-28T08:14:24.000Z"

Would it be possibile to add this new field in a future version of this beat or do you have any suggestions about retrieving it?

Auditbeat version: 8.5.2
Elasticsearch version: 8.5.0

Thank you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.