[Auditbeat] Remove unset user.auid and auditd.session #11431
Labels
Comments
|
cc: @FrankHassanabad |
|
Is there a reason to do this only for |
adriansr
added a commit
to adriansr/beats
that referenced
this issue
Apr 15, 2019
The auditd module sets `user.audit.id` and `auditd.session` to `unset` when they are not present in the original event. This changes this behavior and removes the fields from the event. The same logic is applied to any other *ID field that might be marked as unset. Closes elastic#11431
adriansr
added a commit
that referenced
this issue
Apr 18, 2019
The auditd module sets `user.audit.id` and `auditd.session` to `unset` when they are not present in the original event. This changes this behavior and removes the fields from the event. The same logic is applied to any other *ID field that might be marked as unset. Closes #11431
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It has been requested to drop the user.auid field when the value is
unset.Likewise we should follow the same practice for the unset session IDs (
auditd.session:unset).The text was updated successfully, but these errors were encountered: