We are running auditbeat with the auditd module using standard auditd.rules. We are seeing the events in our Elasticsearch instance, however there is no user attribution tied to the events. It's great that we are seeing the events, but if we can't determine who ran the command, then it's pretty pointless.
This is particularly annoying when using the auditbeat file_integrity module which is really great apart from the fact that it doesn't indicate which user made the change to the file.
If we run auditd with filebeat (auditd module), then we see the events and the user.
Am I missing something with auditbeat?