Event.type field in system module logs not ECS compliant

Lorygold · May 16, 2023, 1:59pm

Good morning,

I activated the system module of Filebeat (version 8.7.1) in order to collect the ssh logins on an Ubuntu VM. I can see them on Kibana, but the event.type field is info event if it is an authentication log category.

The event.type should be start as described in the ECS documentation, shouldn’t it?

{
  "_index": ".ds-filebeat-8.7.1-2023.05.15-000001",
  "_source": {
       "log": {
           "file": {
               "path": "/var/log/auth.log"
           }
      },
      "event": {
           "kind": "event",
           "module": "system",
           "action": "ssh_login",
           "type": [
                "info"
            ],
           "category": [
                "authentication",
                "session"
            ],
            "dataset": "system.auth",
            "outcome": "success"
    },
}

system · June 14, 2023, 5:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat SSH dashboard failing to show events (Kibana 7.0) Beats filebeat	17	3492	May 31, 2019
Difference between (event.module: system - event.action: user_login) AND (event.module: auditd - event.action: logged-in) SIEM ecs-elastic-common-schema , detection-rules	3	821	August 24, 2021
No data displaying in dashboard - [Filebeat System] SSH login attempts ECS Beats filebeat	2	1326	May 21, 2019
Filebeatでの_typeの変更について日本語による質問・議論はこちら	2	661	April 5, 2020
Filebeat Fortinet Module: Mismatch between event.action and event.type in Fortigate Logs Beats filebeat	1	570	September 22, 2023

Event.type field in system module logs not ECS compliant

Related topics