Monitoring new users on Linux with Auditbeat


we are trying to monitor the creation of new user accounts on Linux machines with Auditbeat (7.17). We would like to know the names of the newly created users. Creating a new user shows up in Kibana as an event from event.module : auditd, with event.action : added_user_account and containing the field. But despite resolve_ids: true being explicitly stated in the auditbeat.yml configuration file, there is no field. How could we fix that?

Furthermore, from some machines, we also get an event from event.module : system with event.action : user_added (which contains the of the new user), but from others we don't. Why could that be?

Is there perhaps some other way to monitor the names of newly added users?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.