The maxiunm fields support in auditbeat

hello team,

may i know what the biggest length can be support in auditbeat ? as i tested, it looks like auditbeat truncated the fields vaule here when it long enough

for example, when i enter a super long fake curl command "curl http://23123123214321421fasdsadasdsadasfasfsafagsgdsgsdgxxxxxxxxx1234567890aaaaaaaaaaaaaccccccccccccccxxxxxxxxxxxxxxxxxxx9934"

and i saw from the debug mode, it truncate 34 here

/auditbeat.log: "path": "/bin/curl",
./auditbeat.log: "name": "curl",
./auditbeat.log: "executable": "/usr/bin/curl",
./auditbeat.log: "curl",
./auditbeat.log: "title": "curl http://23123123214321421fasdsadasdsadasfasfsafagsgdsgsdgxxxxxxxxx1234567890aaaaaaaaaaaaaccccccccccccccxxxxxxxxxxxxxxxxxxx99"
./auditbeat.log: "T1105_Lateral_Movement_curl"
./auditbeat.log: "primary": "/bin/curl",
./auditbeat.log: "how": "/usr/bin/curl"
./auditbeat.log: "name": "/bin/curl",

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.