I am using Filebeat and auditd module to collect audit logs from linux vm.
I am often running into mapping limit because the ingest pipeline creates a new field for every argument given in the log message.
for example original log contains among other information arguments like:
...a0="user/bin/bash" a1="-D" a2="-i" a3... and so on. It can go up to a500+.
The Filebeat auditd ingest pipeline creates fields like:
auditd.log.a0, auditd.log.a1, auditd.log.a2, auditd.log.a3, .... auditd.log.a456 and so on.
I would like to prevent the creation of the fields for the argument. For example I would like to have a field like auditd.log.arguments and concatinate all values from these a0..a* fields in there.
Do you have any idea how I can achieve this?