The auid field is set to "unset" in many documents.
A sample document is here. Here in the "message" field there is value for auid. but in the parsed section, the auid is set as "unset".
{
"process": {
"cwd": "/var/spool/cron",
"exe": "/opt/omi/bin/omicli",
"name": "omicli",
"pid": "38123",
"title": "/opt/omi/bin/omicli iv root/oms { MSFT_DSCLocalConfigurationManager } PerformRequiredConfigurationChecks { Flags 1 }",
"ppid": "38113"
},
"osName": "ubuntu",
"auditd": {
"summary": {
"actor": {
"secondary": "omsagent",
"primary": "unset"
},
"how": "/opt/omi/bin/omicli",
"object": {
"type": "file",
"primary": "/var/opt/omi/log/miclient.log"
}
},
"result": "fail",
"sequence": 6221321,
"data": {
"a1": "441",
"a2": "1b6",
"syscall": "open",
"exit": "EACCES",
"a3": "0",
"tty": "(none)",
"arch": "x86_64",
"a0": "7f6bccbfa050"
},
"session": "unset",
"paths": [
{
"mode": "040755",
"inode": "2101019",
"item": "0",
"dev": "fc:00",
"ouid": "995",
"rdev": "00:00",
"nametype": "PARENT",
"ogid": "996",
"name": "/var/opt/omi/log/"
},
{
"name": "/var/opt/omi/log/miclient.log",
"item": "1",
"nametype": "CREATE"
}
],
"messages": [
"""type=SYSCALL msg=audit(1553869801.287:6221321): arch=c000003e syscall=2 success=no exit=-13 a0=7f6bccbfa050 a1=441 a2=1b6 a3=0 items=2 ppid=38113 pid=38123 auid=4294967295 uid=994 gid=997 euid=994 suid=994 fsuid=994 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="omicli" exe="/opt/omi/bin/omicli" key="access"""",
"""type=CWD msg=audit(1553869801.287:6221321): cwd="/var/spool/cron"""",
"""type=PATH msg=audit(1553869801.287:6221321): item=0 name="/var/opt/omi/log/" inode=2101019 dev=fc:00 mode=040755 ouid=995 ogid=996 rdev=00:00 nametype=PARENT""",
"""type=PATH msg=audit(1553869801.287:6221321): item=1 name="/var/opt/omi/log/miclient.log" nametype=CREATE""",
"type=PROCTITLE msg=audit(1553869801.287:6221321): proctitle=2F6F70742F6F6D692F62696E2F6F6D69636C6900697600726F6F742F6F6D73007B004D5346545F4453434C6F63616C436F6E66696775726174696F6E4D616E61676572007D00506572666F726D5265717569726564436F6E66696775726174696F6E436865636B73007B00466C6167730031007D"
]
},
"tags": [
"access"
],
"osCategory": "linux",
"@timestamp": "2019-03-29T14:30:01.287Z",
"file": {
"path": "/var/opt/omi/log/miclient.log"
},
"osVersion": 14,
"beatName": "auditbeat",
"@version": "1",
"beat": {
"name": "env-cs-westus-devtest-66-device42-0",
"hostname": "env-cs-westus-devtest-66-device42-0",
"version": "6.5.4"
},
"host": {
"name": "env-cs-westus-devtest-66-device42-0"
},
"event": {
"action": "opened-file",
"category": "audit-rule",
"type": "syscall",
"module": "auditd"
},
"device": [
"device-42"
],
"user": {
"fsuid": "994",
"uid": "994",
"auid": "unset",
"name_map": {
"fsuid": "omsagent",
"uid": "omsagent",
"egid": "omiusers",
"gid": "omiusers",
"euid": "omsagent",
"fsgid": "omiusers",
"sgid": "omiusers",
"suid": "omsagent"
},
"egid": "997",
"gid": "997",
"euid": "994",
"fsgid": "997",
"sgid": "997",
"suid": "994"
}
}
How can I rectify this in auditbeat?