The hard link syscalls (link and linkat) do not seem to be configured properly and do not get the same treatment as other file calls.
If no one is currently working on it, I am happy to provide a pr to add them to go-libaudit/aucoalesce/normalizations.yaml
I've already tested a modified version with an extra block similar to symlink and the resulting output from auditbeat seems consistent and works well with my downstream pipeline.
Please do open a PR for elastic/go-libaudit. We probably don't have any test data with those syscalls so we should add some tests with the PR. Thanks.
I included some suggesting for testing, but did not add testing traces.
It looks like filebeat also has a syscall table that lacks these calls. I don't use that myself and have not examined the impact.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.