I've just set up auditbeat on a RHEL8 box to log various commands.
In the 'audit.rules.d' directory I've added a new file with entries such as:
-a always,exit -F path=/usr/bin/wget -F perm=x -k external_call
ausearch -k external_call reports correctly.
If I look in Kibana, the "tags" field isn't even listed as an option in the "Available Fields" column.
How can I tell where the breakdown is for the -k tags not being sent to ES?