we are trying to monitor the creation of new user accounts on Linux machines with Auditbeat (7.17). We would like to know the names of the newly created users. Creating a new user shows up in Kibana as an event from
event.module : auditd, with
event.action : added_user_account and containing the
user.target.id field. But despite
resolve_ids: true being explicitly stated in the
auditbeat.yml configuration file, there is no
user.target.name field. How could we fix that?
Furthermore, from some machines, we also get an event from
event.module : system with
event.action : user_added (which contains the
user.name of the new user), but from others we don't. Why could that be?