Hello!
I've installed Elastic Agent on Ubuntu and enabled AuditD integration for it (it's attached to an agent)
I left all the configurations by default.
Now, when I'm trying to elastic_agent.filebeat data stream I'm getting an errors like this:
[elastic_agent.filebeat][warn] Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc05020f10d7be7dc, ext:6932565418598, loc:(*time.Location)(0x55af54856100)}, Meta:{"raw_index":"logs-auditd.log-default"}, Fields:{"agent":{"ephemeral_id":"6c91c80b-9268-4b3a-9b12-1137e6814ef7","hostname":"ubuntu","id":"63f737f7-8bc1-4112-bc74-c49f6c0b6511","name":"ubuntu","type":"filebeat","version":"7.15.0"},"data_stream":{"dataset":"auditd.log","namespace":"default","type":"logs"},"ecs":{"version":"1.11.0"},"elastic_agent":{"id":"63f737f7-8bc1-4112-bc74-c49f6c0b6511","snapshot":false,"version":"7.15.0"},"event":{"dataset":"auditd.log"},"host":{"architecture":"x86_64","containerized":false,"hostname":"ubuntu","id":"2b7359fdb986472eb9f8343eeb49c0b2","ip":["192.168.100.60","fe80::8891:3770:4417:1fc0","10.8.0.46","fe80::4c24:7230:66b1:6f88"],"mac":["00:0c:29:71:6c:55"],"name":"ubuntu","os":{"codename":"focal","family":"debian","kernel":"5.11.0-37-generic","name":"Ubuntu","platform":"ubuntu","type":"linux","version":"20.04.3 LTS (Focal Fossa)"}},"input":{"type":"log"},"log":{"file":{"path":"/var/log/audit/audit.log"},"offset":9820758},"message":"type=SYSCALL msg=audit(1633684543.270:12869): arch=c000003e syscall=62 success=yes exit=0 a0=1c81 a1=0 a2=1c80 a3=7f97a8000c50 items=0 ppid=1 pid=6986 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"elastic-endpoin\" exe=\"/opt/Elastic/Endpoint/elastic-endpoint\" subj=unconfined key=\"audit_kill\"","tags":["auditd-log"]}, Private:file.State{Id:"native::136562-2053", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc000a7d6c0), Source:"/var/log/audit/audit.log", Offset:9821108, Timestamp:time.Time{wall:0xc0501f7f9dcf25a0, ext:6332270189924, loc:(*time.Location)(0x55af54856100)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x21572, Device:0x805}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [auditd.log.success] of type [boolean] in document with id '8zswX3wB_tNaMVZSFUo3'. Preview of field's value: 'yes'","caused_by":{"type":"illegal_argument_exception","reason":"Failed to parse value [yes] as only [true] or [false] are allowed."}}, dropping event!
I understand that there is an issue in parsing event by Elastic Agent, but I left all the settings by default, so the Elastic Agent can't handle this generic issue itself, sounds like a great misconfiguration for me.
Any idea what index template I need to configure to solve the issue?