TTY logging decoding

I realised that the events you are pasting don't come from Auditbeat, but Filebeat. Those are log lines read from /var/log/audit/audit.log and not auditd events reported by Auditbeat.

I think you have Filebeat feeding logs to Elasticsearch too and got confused.

An Auditbeat event looks like this:

  "@timestamp": "2018-10-02T10:20:56.849Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "doc",
    "version": "7.0.0-alpha1"
  },
  "beat": {
    "name": "localhost.localdomain",
    "hostname": "localhost.localdomain",
    "version": "7.0.0-alpha1"
  },
  "event": {
    "category": "TTY",
    "type": "tty",
    "action": "typed",
    "module": "auditd"
  },
  "user": {
    "name_map": {
      "auid": "vagrant",
      "uid": "root"
    },
    "auid": "1000",
    "uid": "0"
  },
  "process": {
    "pid": "1680",
    "name": "yum"
  },
  "auditd": {
    "data": {
      "data": "y\n",   # <- KEYSTROKES HERE
      "major": "136",
      "minor": "0"
    },
    "summary": {
      "how": "yum",
      "actor": {
        "primary": "vagrant",
        "secondary": "root"
      },
      "object": {
        "type": "keystrokes",
        "primary": "y\n"
      }
    },
    "sequence": 604,
    "result": "unknown",
    "session": "3"
  },
  "host": {
    "name": "localhost.localdomain"
  }
}

If you're using Kibana to inspect the events, make sure you have an auditbeat index pattern selected, not filebeat.