I feel like I'm missing something here. Auditbeat is up and running on an ubunutu server and I'm getting auditd, system, and file integrity logs but some fields referenced by the Elasticsearch prebuilt linux rules aren't getting parsed: file.name is one example.
So, I feel like I'm missing something. Is there any specific additional step that needs to take place to get all of the fields parsed or do I just need to create my own ingest pipeline and parse them manually?
Did you run setup first before starting auditbeat per the docs here
I did not. I did, however, run it afterwards and reindex the existing index to comply with the new index template.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.