Why don't sudo events from auth.log have an event.category/event.action?


I've been exploring the new SIEM features in 7.3 and am pretty excited about promoting ECS at work.

I noticed that when ingesting my auth logs from Ubuntu 18.04 using the system module included with filebeat, that sudo entries from the auth.log just show up blank in the timeline explorer.

Was this a design decision? Shouldn't a sudo event have event fields populated too?

It's not a design decision, it's more of something that's not complete yet. We're still in the process of defining those fields and will work on improving the Beats modules to consistently fill them. This is a pretty long process, though.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.