elastic
diff --git a/‎filebeat/module/auditd/log/ingest/pipeline.yml‎
Lines changed: 88 additions & 0 deletions b/‎filebeat/module/auditd/log/ingest/pipeline.yml‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json‎
Lines changed: 4 additions & 0 deletions b/‎filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json‎
Lines changed: 4 additions & 0 deletions
@@ -176,6 +176,94 @@ processors:
 - set:
     field: event.kind
     value: event
+- set:
+    if: "ctx.auditd.log?.record_type == 'CONFIG_CHANGE'"
+    field: event.category
+    value: configuration
+- set:
+    if: "ctx.auditd.log?.record_type == 'CONFIG_CHANGE'"
+    field: event.type
+    value: change
+- set:
+    if: "ctx.auditd.log?.record_type == 'DAEMON_CONFIG'"
+    field: event.category
+    value: configuration
+- set:
+    if: "ctx.auditd.log?.record_type == 'DAEMON_CONFIG'"
+    field: event.type
+    value: change
+- set:
+    if: "ctx.auditd.log?.record_type == 'DAEMON_RECONFIG'"
+    field: event.category
+    value: configuration
+- set:
+    if: "ctx.auditd.log?.record_type == 'DAEMON_RECONFIG'"
+    field: event.type
+    value: info
+- set:
+    if: "ctx.auditd.log?.record_type == 'USYS_CONFIG'"
+    field: event.category
+    value: configuration
+- set:
+    if: "ctx.auditd.log?.record_type == 'USYS_CONFIG'"
+    field: event.type
+    value: info
+- set:
+    if: "ctx.auditd.log?.record_type == 'NETFILTER_CFG'"
+    field: event.category
+    value: configuration
+- set:
+    if: "ctx.auditd.log?.record_type == 'NETFILTER_CFG'"
+    field: event.type
+    value: info
+- set:
+    if: "ctx.auditd.log?.record_type == 'FEATURE_CHANGE'"
+    field: event.category
+    value: configuration
+- set:
+    if: "ctx.auditd.log?.record_type == 'FEATURE_CHANGE'"
+    field: event.type
+    value: info
+- set:
+    if: "ctx.auditd.log?.record_type == 'MAC_CONFIG_CHANGE'"
+    field: event.category
+    value: configuration
+- set:
+    if: "ctx.auditd.log?.record_type == 'MAC_CONFIG_CHANGE'"
+    field: event.type
+    value: info
+- set:
+    if: "ctx.auditd.log?.record_type == 'MAC_POLICY_LOAD'"
+    field: event.category
+    value: configuration
+- set:
+    if: "ctx.auditd.log?.record_type == 'MAC_POLICY_LOAD'"
+    field: event.type
+    value: access
+- set:
+    if: "ctx.auditd.log?.record_type == 'MAC_STATUS'"
+    field: event.category
+    value: configuration
+- set:
+    if: "ctx.auditd.log?.record_type == 'MAC_STATUS'"
+    field: event.type
+    value: change
+- set:
+    if: "ctx.auditd.log?.record_type == 'USER_MAC_CONFIG_CHANGE'"
+    field: event.category
+    value: configuration
+- set:
+    if: "ctx.auditd.log?.record_type == 'USER_MAC_CONFIG_CHANGE'"
+    field: event.type
+    value: change
+- set:
+    if: "ctx.auditd.log?.record_type == 'USER_MAC_POLICY_LOAD'"
+    field: event.category
+    value: configuration
+- set:
+    if: "ctx.auditd.log?.record_type == 'USER_MAC_POLICY_LOAD'"
+    field: event.type
+    value: access
 - set:
     if: "ctx.auditd.log?.record_type == 'USER_AUTH'"
     field: event.category
 
@@ -31,10 +31,12 @@
         "auditd.log.ses": "4294967295",
         "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0",
         "event.action": "config_change",
+        "event.category": "configuration",
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "1",
+        "event.type": "change",
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 234,
@@ -50,10 +52,12 @@
         "auditd.log.ses": "4294967295",
         "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0",
         "event.action": "config_change",
+        "event.category": "configuration",
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "1",
+        "event.type": "change",
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 425,