Field names not parsing in Auditbeat

I feel like I'm missing something here. Auditbeat is up and running on an ubunutu server and I'm getting auditd, system, and file integrity logs but some fields referenced by the Elasticsearch prebuilt linux rules aren't getting parsed: is one example.

So, I feel like I'm missing something. Is there any specific additional step that needs to take place to get all of the fields parsed or do I just need to create my own ingest pipeline and parse them manually?

Did you run setup first before starting auditbeat per the docs here

I did not. I did, however, run it afterwards and reindex the existing index to comply with the new index template.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.