I'm trying to set log monitoring for servers but I can see logs that I have filtered out in Kibana. I want to it to only log entries where auid is between 2000 and 2099(including both). For that I have configured auditbeat with the following config.
Auditbeat config is here: https://pastebin.com/NP7ZmuK9
But I can also see entries with auid as "0" or "unset" as shown in the image below:
How can I make sure logs which have auid as unset or 0 are filtered out? All of my efforts in trial and error and Google searching/reading docs have been futile so far. Would really appreciate any help.