Event.Module (Auditd) for Auditbeat

Am trying to monitor logs in with Auditbeat version 7.4. specifically the auditd module.I have created a yml file to send send the logs to logstash. please how do I extract the time and date of each event in the auditd module.
I tried this code

auditbeat.modules:
- module: auditd
  log:
    enabled: true
  ...
  processors:
    - date:
        field: event.timestamp
        target_field: custom_timestamp
        formats:
          - 'UNIX'
        timezone: 'UTC

but it did not work out because the date pre-processor does not exist. Do I have to create one and if yes how do I do it.

Thanks once more for you fast response

What are you trying to accomplish?

The timestamp of the event is stored in the @timestamp field and does not need to be processed as it is already a valid time object internally.

• Base Fields | Elastic Common Schema (ECS) Reference [8.11] | Elastic
• Define processors | Auditbeat Reference [8.11] | Elastic

Hi Andrew,
Thanks for your quick response
the auditd module unlike system module has no timestamp like "event.start" or "event.end" field. The @timestamp is the one built in by logstash. For the auditd logs the "msg" has the time component as shown

type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 
success=yes exit=4 a0=62fb60 a1=0 a2=31 a3=0 items=1 ppid=25400 pid

How do i extract this component and include it under the processor in the yml file configuration file of Auditbeat modules.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.