As discussed internally, the Filebeat auditd module parsing and enrichment capabilities are not the same as the Auditbeat auditd module parsing and enrichment capabilities; however, the source document includes an unclear statement from the "what happens" document.
We should add a note/disclaimer to the Filebeat auditd module documentation to notify users that the Filebeat auditd module parsing and enrichment capabilities are not the same as the Auditbeat auditd module parsing and enrichment capabilities.
Given the documentation gap, I have also filed #17068 to clarify the capabilities of the Filebeat auditd module.
The exception to this docs issue would be if #6484 was implemented, where the parsing logic used in the Auditbeat auditd module would be ported over to the Filebeat auditd module. If #6484 was implemented, we would not need to make changes to the current documentation.
As discussed internally, the Filebeat auditd module parsing and enrichment capabilities are not the same as the Auditbeat auditd module parsing and enrichment capabilities; however, the source document includes an unclear statement from the "what happens" document.
We should add a note/disclaimer to the Filebeat auditd module documentation to notify users that the Filebeat auditd module parsing and enrichment capabilities are not the same as the Auditbeat auditd module parsing and enrichment capabilities.
Given the documentation gap, I have also filed #17068 to clarify the capabilities of the Filebeat auditd module.
The exception to this docs issue would be if #6484 was implemented, where the parsing logic used in the Auditbeat auditd module would be ported over to the Filebeat auditd module. If #6484 was implemented, we would not need to make changes to the current documentation.