That's normal. Auditbeat receives all of the audit messages from the kernel. So in addition to messages caused by your rules you'll be getting messages from apps that publish audit messages (like sshd and sudo).
You can write rules to drop these messages in the kernel if you don't want them (e.g. -a always,exclude -F msgtype=FOO). Or you could use a beats drop_eventprocessor to drop them after Auditbeat receives it from kernel.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.