Hello,
I've been exploring the new SIEM features in 7.3 and am pretty excited about promoting ECS at work.
I noticed that when ingesting my auth logs from Ubuntu 18.04 using the system module included with filebeat, that sudo entries from the auth.log just show up blank in the timeline explorer.
Was this a design decision? Shouldn't a sudo event have event fields populated too?
It's not a design decision, it's more of something that's not complete yet. We're still in the process of defining those fields and will work on improving the Beats modules to consistently fill them. This is a pretty long process, though.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
