Auditbeat not displayiing parameters

I've setup Auditbeat to report on Docker activity but I don't see the parameters. For example if a user types docker exec auditbeat env, the resulting Auditbeat record just has { "auditd" : { "data": { "op": "exec"... but there's no parameters. What did they execute? I don't know because I don't see any parameters in the audit record.

Is this normal? Do I need to change a configuration to see the parameters?

How did you do this? Please show the configuration that you are using, OS version, and the Auditbeat version.

Are you monitoring execve syscalls? I would use something like:

- module: auditd
  audit_rules: |
    -a always,exit -F arch=b64 -S execve,execveat -k exec
    - add_docker_metadata: ~

Container: Centos 7.4 - Linux 3.10
OS Host: Centos 7.2 - Linux 3.10
Auditbeat 6.2.4
Configuration below:


  • module: auditd
    audit_rules: |
    -w /usr/bin/docker -p rwxa -k docker

I'm not monitoring execve syscalls. I'll try that. I'm trying to avoid a lot of noise.

I added those rules and it looks a lot better. Thanks!