Hello,
we are trying to monitor the creation of new user accounts on Linux machines with Auditbeat (7.17). We would like to know the names of the newly created users. Creating a new user shows up in Kibana as an event from event.module : auditd, with event.action : added_user_account and containing the user.target.id field. But despite resolve_ids: true being explicitly stated in the auditbeat.yml configuration file, there is no user.target.name field. How could we fix that?
Furthermore, from some machines, we also get an event from event.module : system with event.action : user_added (which contains the user.name of the new user), but from others we don't. Why could that be?