@andrewkroh I've enabled these two options and got the following event:
{"auditd":{"data":{"a0":"7ffcf6e5c757","a1":"2","a2":"7f200050f280","a3":"7ffcf6e5b660","arch":"x86_64","exit":"0","syscall":"rmdir","tty":"pts1"},"message_type":"syscall","paths":[{"cap_fe":"0","cap_fi":"0000000000000000","cap_fp":"0000000000000000","cap_fver":"0","dev":"08:04","inode":"100916940","item":"0","mode":"040775","name":"/sasdata/","objtype":"PARENT","ogid":"201327708","ouid":"0","rdev":"00:00"},{"cap_fe":"0","cap_fi":"0000000000000000","cap_fp":"0000000000000000","cap_fver":"0","dev":"08:04","inode":"100916940","item":"1","mode":"040775","objtype":"PARENT","ogid":"201327708","ouid":"0","rdev":"00:00"},{"cap_fe":"0","cap_fi":"0000000000000000","cap_fp":"0000000000000000","cap_fver":"0","dev":"08:04","inode":"1181650","item":"2","mode":"040755","objtype":"DELETE","ogid":"0","ouid":"0","rdev":"00:00"}],"result":"success","sequence":4136,"session":"269","summary":{"actor":{"primary":"aevangelista","secondary":"root"},"how":"/usr/bin/rmdir","object":{"primary":"/sasdata/","type":"file"}}},"event":{"action":"deleted","category":["file"],"kind":"event","module":"auditd","original":["type=SYSCALL msg=audit(1614912311.117:4136): arch=c000003e syscall=84 success=yes exit=0 a0=7ffcf6e5c757 a1=2 a2=7f200050f280 a3=7ffcf6e5b660 items=3 ppid=17590 pid=22579 auid=201327714 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=269 comm=\"rmdir\" exe=\"/usr/bin/rmdir\" key=\"filesystem_op\"","type=CWD msg=audit(1614912311.117:4136): cwd=\"/home/aevangelista\"","type=PATH msg=audit(1614912311.117:4136): item=0 name=\"/sasdata/\" inode=100916940 dev=08:04 mode=040775 ouid=0 ogid=201327708 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0","type=PATH msg=audit(1614912311.117:4136): item=1 name=(null) inode=100916940 dev=08:04 mode=040775 ouid=0 ogid=201327708 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0","type=PATH msg=audit(1614912311.117:4136): item=2 name=(null) inode=1181650 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0","type=PROCTITLE msg=audit(1614912311.117:4136): proctitle=726D646972002F736173646174612F746573746469722F"],"outcome":"success","type":["deletion"]},"file":{"device":"00:00","gid":"201327708","group":"sasusers","inode":"100916940","mode":"0775","owner":"root","path":"/sasdata/","uid":"0"},"process":{"executable":"/usr/bin/rmdir","name":"rmdir","pid":22579,"ppid":17590,"title":"rmdir /sasdata/testdir/","working_directory":"/home/aevangelista"},"service":{"type":"auditd"},"tags":["filesystem_op"],"user":{"audit":{"id":"201327714","name":"aevangelista"},"filesystem":{"group":{"id":"0","name":"root"},"id":"0","name":"root"},"group":{"id":"0","name":"root"},"id":"0","name":"root","saved":{"group":{"id":"0","name":"root"},"id":"0","name":"root"}}}
With this extra debugging, it got obvious that the problem is in Audit, not Auditbeat.
I found out that this problem only happens when I run "rmdir /sasdata/testdir/" (with a unnecessary slash at the end). If I run "rmdir /sas/data/testdir" instead, I get the directory path in the paths object in both the audit event AND in the auditbeat event. That's the command I tried when testing with auditd before.
IMHO Audit should provide the path of the deleted directory somewhere in its event, regardless if the rmdir command has a slash at the end of the directory path or not. I'll write about it to the linux-audit mailing list.
Thanks for the help!