I realised that the events you are pasting don't come from Auditbeat, but Filebeat. Those are log lines read from /var/log/audit/audit.log
and not auditd events reported by Auditbeat.
I think you have Filebeat feeding logs to Elasticsearch too and got confused.
An Auditbeat event looks like this:
"@timestamp": "2018-10-02T10:20:56.849Z",
"@metadata": {
"beat": "auditbeat",
"type": "doc",
"version": "7.0.0-alpha1"
},
"beat": {
"name": "localhost.localdomain",
"hostname": "localhost.localdomain",
"version": "7.0.0-alpha1"
},
"event": {
"category": "TTY",
"type": "tty",
"action": "typed",
"module": "auditd"
},
"user": {
"name_map": {
"auid": "vagrant",
"uid": "root"
},
"auid": "1000",
"uid": "0"
},
"process": {
"pid": "1680",
"name": "yum"
},
"auditd": {
"data": {
"data": "y\n", # <- KEYSTROKES HERE
"major": "136",
"minor": "0"
},
"summary": {
"how": "yum",
"actor": {
"primary": "vagrant",
"secondary": "root"
},
"object": {
"type": "keystrokes",
"primary": "y\n"
}
},
"sequence": 604,
"result": "unknown",
"session": "3"
},
"host": {
"name": "localhost.localdomain"
}
}
If you're using Kibana to inspect the events, make sure you have an auditbeat index pattern selected, not filebeat.