Event.type field in system module logs not ECS compliant

Lorygold · May 16, 2023, 1:59pm

Good morning,

I activated the system module of Filebeat (version 8.7.1) in order to collect the ssh logins on an Ubuntu VM. I can see them on Kibana, but the event.type field is info event if it is an authentication log category.

The event.type should be start as described in the ECS documentation, shouldn’t it?

{
  "_index": ".ds-filebeat-8.7.1-2023.05.15-000001",
  "_source": {
       "log": {
           "file": {
               "path": "/var/log/auth.log"
           }
      },
      "event": {
           "kind": "event",
           "module": "system",
           "action": "ssh_login",
           "type": [
                "info"
            ],
           "category": [
                "authentication",
                "session"
            ],
            "dataset": "system.auth",
            "outcome": "success"
    },
}

system · June 14, 2023, 5:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using Filebeat for logging ssh log in Beats filebeat	13	13761	August 5, 2018
Filebeat forward to Kibana ssh auth fail Beats filebeat	10	1794	November 12, 2018
Filebeat doesn't providing event fields (event.name,event.module...) doesnt Beats filebeat	1	310	April 13, 2020
Filebeat module to see system logins Beats filebeat	5	423	December 14, 2020
Difference between (event.module: system - event.action: user_login) AND (event.module: auditd - event.action: logged-in) SIEM ecs-elastic-common-schema , detection-rules	3	938	August 24, 2021

Event.type field in system module logs not ECS compliant

Related topics