Auid value not set properly

The auid field is set to "unset" in many documents.
A sample document is here. Here in the "message" field there is value for auid. but in the parsed section, the auid is set as "unset".

          "process": {
            "cwd": "/var/spool/cron",
            "exe": "/opt/omi/bin/omicli",
            "name": "omicli",
            "pid": "38123",
            "title": "/opt/omi/bin/omicli iv root/oms { MSFT_DSCLocalConfigurationManager } PerformRequiredConfigurationChecks { Flags 1 }",
            "ppid": "38113"
          "osName": "ubuntu",
          "auditd": {
            "summary": {
              "actor": {
                "secondary": "omsagent",
                "primary": "unset"
              "how": "/opt/omi/bin/omicli",
              "object": {
                "type": "file",
                "primary": "/var/opt/omi/log/miclient.log"
            "result": "fail",
            "sequence": 6221321,
            "data": {
              "a1": "441",
              "a2": "1b6",
              "syscall": "open",
              "exit": "EACCES",
              "a3": "0",
              "tty": "(none)",
              "arch": "x86_64",
              "a0": "7f6bccbfa050"
            "session": "unset",
            "paths": [
                "mode": "040755",
                "inode": "2101019",
                "item": "0",
                "dev": "fc:00",
                "ouid": "995",
                "rdev": "00:00",
                "nametype": "PARENT",
                "ogid": "996",
                "name": "/var/opt/omi/log/"
                "name": "/var/opt/omi/log/miclient.log",
                "item": "1",
                "nametype": "CREATE"
            "messages": [
              """type=SYSCALL msg=audit(1553869801.287:6221321): arch=c000003e syscall=2 success=no exit=-13 a0=7f6bccbfa050 a1=441 a2=1b6 a3=0 items=2 ppid=38113 pid=38123 auid=4294967295 uid=994 gid=997 euid=994 suid=994 fsuid=994 egid=997 sgid=997 fsgid=997 tty=(none) ses=4294967295 comm="omicli" exe="/opt/omi/bin/omicli" key="access"""",
              """type=CWD msg=audit(1553869801.287:6221321):  cwd="/var/spool/cron"""",
              """type=PATH msg=audit(1553869801.287:6221321): item=0 name="/var/opt/omi/log/" inode=2101019 dev=fc:00 mode=040755 ouid=995 ogid=996 rdev=00:00 nametype=PARENT""",
              """type=PATH msg=audit(1553869801.287:6221321): item=1 name="/var/opt/omi/log/miclient.log" nametype=CREATE""",
              "type=PROCTITLE msg=audit(1553869801.287:6221321): proctitle=2F6F70742F6F6D692F62696E2F6F6D69636C6900697600726F6F742F6F6D73007B004D5346545F4453434C6F63616C436F6E66696775726174696F6E4D616E61676572007D00506572666F726D5265717569726564436F6E66696775726174696F6E436865636B73007B00466C6167730031007D"
          "tags": [
          "osCategory": "linux",
          "@timestamp": "2019-03-29T14:30:01.287Z",
          "file": {
            "path": "/var/opt/omi/log/miclient.log"
          "osVersion": 14,
          "beatName": "auditbeat",
          "@version": "1",
          "beat": {
            "name": "env-cs-westus-devtest-66-device42-0",
            "hostname": "env-cs-westus-devtest-66-device42-0",
            "version": "6.5.4"
          "host": {
            "name": "env-cs-westus-devtest-66-device42-0"
          "event": {
            "action": "opened-file",
            "category": "audit-rule",
            "type": "syscall",
            "module": "auditd"
          "device": [
          "user": {
            "fsuid": "994",
            "uid": "994",
            "auid": "unset",
            "name_map": {
              "fsuid": "omsagent",
              "uid": "omsagent",
              "egid": "omiusers",
              "gid": "omiusers",
              "euid": "omsagent",
              "fsgid": "omiusers",
              "sgid": "omiusers",
              "suid": "omsagent"
            "egid": "997",
            "gid": "997",
            "euid": "994",
            "fsgid": "997",
            "sgid": "997",
            "suid": "994"

How can I rectify this in auditbeat?

The kernel is reporting 4294967295 as the auid associated with the event. This value means that there was no AUID. The auid gets set when there is a user login. But in this case it's cron so there is no user login so there is no auid.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.