diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline-json.yml b/filebeat/module/elasticsearch/audit/ingest/pipeline-json.yml
index e05c915d59e..bced704618b 100644
--- a/filebeat/module/elasticsearch/audit/ingest/pipeline-json.yml
+++ b/filebeat/module/elasticsearch/audit/ingest/pipeline-json.yml
@@ -7,7 +7,9 @@ processors:
       field: event.type
       path: elasticsearch.audit
   - drop:
-      if: '!["rest", "transport", "ip_filter", "security_config_change"].contains(ctx.elasticsearch?.audit?.event?.type)'
+      if: 'ctx.elasticsearch.audit.containsKey('type') && ctx.elasticsearch.audit.type != 'audit'
+  - drop:
+      if: '!ctx.elasticsearch.audit.containsKey('type') && !["rest", "transport", "ip_filter", "security_config_change"].contains(ctx.elasticsearch?.audit?.event?.type)'
   - remove:
       field: elasticsearch.audit.type
       ignore_missing: true
diff --git a/filebeat/module/elasticsearch/audit/test/test-audit-docker.log b/filebeat/module/elasticsearch/audit/test/test-audit-docker.log
index ac562db5463..5beb90d9777 100644
--- a/filebeat/module/elasticsearch/audit/test/test-audit-docker.log
+++ b/filebeat/module/elasticsearch/audit/test/test-audit-docker.log
@@ -1,2 +1,3 @@
 {"type": "audit", "timestamp":"2019-06-11T15:03:32,102+0000", "node.id":"Xaq2BFVcQ1OhyMrjL8gNOg", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"172.17.0.1:40380", "url.path":"/", "request.method":"GET", "request.id":"pkduyMB5Tly6xgmkYbZi-A"}
+{"type": "server", "timestamp": "2019-06-11T15:03:32,777+0000", "level": "INFO", "component": "o.e.x.s.a.AuthenticationService", "cluster.name": "docker-cluster", "node.name": "dff7befc418f", "cluster.uuid": "xEiKc6ipRiyzU8_8czXrJw", "node.id": "Xaq2BFVcQ1OhyMrjL8gNOg",  "message": "Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]"  }
 {"type": "audit", "timestamp":"2019-06-11T15:03:32,778+0000", "node.id":"Xaq2BFVcQ1OhyMrjL8gNOg", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"172.17.0.1:40380", "url.path":"/", "request.method":"GET", "request.id":"KPgEINaXSbGNaIobp8OcMw"}