Filebeat auditd module causes mapping explosion

Hi folks,

I am using Filebeat and auditd module to collect audit logs from linux vm.

I am often running into mapping limit because the ingest pipeline creates a new field for every argument given in the log message.

for example original log contains among other information arguments like: ...a0="user/bin/bash" a1="-D" a2="-i" a3... and so on. It can go up to a500+.

The Filebeat auditd ingest pipeline creates fields like:

auditd.log.a0, auditd.log.a1, auditd.log.a2, auditd.log.a3, .... auditd.log.a456 and so on.

I would like to prevent the creation of the fields for the argument. For example I would like to have a field like auditd.log.arguments and concatinate all values from these a0..a* fields in there.

Do you have any idea how I can achieve this?


Does anyone have a hint :frowning:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.