diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 0b78fda67b52..6b27969654fe 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -42,6 +42,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Rename identity as identity_name when the value is a string in Azure Platform Logs. {pull}33654[33654]
 - Fix 'requires pointer' error while getting cursor metadata. {pull}33956[33956]
 - [google_workspace] Fix pagination and cursor value update. {pull}34274[34274]
+- Fix handling of quoted values in auditd module. {issue}22587[22587] {pull}34069[34069]
 
 
 *Heartbeat*
diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml
index 826761837d52..d2446e3acf56 100644
--- a/filebeat/module/auditd/log/ingest/pipeline.yml
+++ b/filebeat/module/auditd/log/ingest/pipeline.yml
@@ -22,8 +22,8 @@ processors:
     - "%{AUDIT_TYPE} %{AUDIT_KEY_VALUES:auditd.log.kv}"
 - kv:
     field: auditd.log.kv
-    field_split: "\\s+"
-    value_split: "="
+    field_split: '\s(?![\w\"]+?(\s+|$))'
+    value_split: '(?<!\\)='
     target_field: auditd.log
 - kv:
     field: auditd.log.sub_kv
diff --git a/filebeat/module/auditd/log/test/audit-rhel7_2.log b/filebeat/module/auditd/log/test/audit-rhel7_2.log
new file mode 100644
index 000000000000..43707b1e4821
--- /dev/null
+++ b/filebeat/module/auditd/log/test/audit-rhel7_2.log
@@ -0,0 +1 @@
+type=ANOM_ABEND msg=audit(1605431420.026:123): auid=12345 uid=123 gid=123 ses=123456789 pid=1234 comm="extproc" reason="memory violation" sig=6
diff --git a/filebeat/module/auditd/log/test/audit-rhel7_2.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7_2.log-expected.json
new file mode 100644
index 000000000000..d3cd45bf0c9b
--- /dev/null
+++ b/filebeat/module/auditd/log/test/audit-rhel7_2.log-expected.json
@@ -0,0 +1,32 @@
+[
+    {
+        "@timestamp": "2020-11-15T09:10:20.026Z",
+        "auditd.log.reason": "memory violation",
+        "auditd.log.record_type": "ANOM_ABEND",
+        "auditd.log.sequence": 123,
+        "auditd.log.ses": "123456789",
+        "auditd.log.sig": "6",
+        "event.action": [
+            "crashed-program"
+        ],
+        "event.category": [
+            "process"
+        ],
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=ANOM_ABEND msg=audit(1605431420.026:123): auid=12345 uid=123 gid=123 ses=123456789 pid=1234 comm=\"extproc\" reason=\"memory violation\" sig=6",
+        "event.type": [
+            "end"
+        ],
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 0,
+        "process.name": "extproc",
+        "process.pid": 1234,
+        "service.type": "auditd",
+        "user.audit.id": "12345",
+        "user.group.id": "123",
+        "user.id": "123"
+    }
+]
\ No newline at end of file