The maxiunm fields support in auditbeat

masonlu2014 · December 14, 2022, 10:23am

hello team,

may i know what the biggest length can be support in auditbeat ? as i tested, it looks like auditbeat truncated the fields vaule here when it long enough

for example, when i enter a super long fake curl command "curl http://23123123214321421fasdsadasdsadasfasfsafagsgdsgsdgxxxxxxxxx1234567890aaaaaaaaaaaaaccccccccccccccxxxxxxxxxxxxxxxxxxx9934"

and i saw from the debug mode, it truncate 34 here

/auditbeat.log: "path": "/bin/curl",
./auditbeat.log: "name": "curl",
./auditbeat.log: "executable": "/usr/bin/curl",
./auditbeat.log: "curl",
./auditbeat.log: "title": "curl http://23123123214321421fasdsadasdsadasfasfsafagsgdsgsdgxxxxxxxxx1234567890aaaaaaaaaaaaaccccccccccccccxxxxxxxxxxxxxxxxxxx99"
./auditbeat.log: "T1105_Lateral_Movement_curl"
./auditbeat.log: "primary": "/bin/curl",
./auditbeat.log: "how": "/usr/bin/curl"
./auditbeat.log: "name": "/bin/curl",

system · January 11, 2023, 12:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat process.args shortened Beats auditbeat	1	295	July 28, 2023
Trunce events problem Beats auditbeat	0	94	May 14, 2024
Add Winlogbeat option to truncate Security 'message' field to just first line Beats winlogbeat	2	2348	May 27, 2016
Filebeat journald input truncates custom fields at ~64KiB Beats filebeat	3	281	April 17, 2024
Field not comming in audit beat logs user.audit.name Beats auditbeat	4	438	January 8, 2020

The maxiunm fields support in auditbeat

Related topics