Renamed auditd module fields

CHANGELOG.asciidoc

@@ -27,6 +27,7 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di
   named auditd and file_integrity, respectively. This change requires
   existing users to update their config. {issue}5422[5422]
 - Renamed file_integrity module fields. {issue}5423[5423] {pull}5995[5995]
+- Renamed auditd module fields. {issue}5423[5423] {pull}6080[6080]
 
 *Filebeat*
 - Switch to docker prospector in sample manifests for Kubernetes deployment {pull}5963[5963]
@@ -63,6 +64,9 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di
 
 - Add an error check to the file integrity scanner to prevent a panic when
   there is an error reading file info via lstat. {issue}6005[6005]
+- Fixed an issue where the proctitle value was being truncated.
+- Fixed an issue where values were incorrectly interpretted as hex data.
+- Fixed parsing of the `key` value when multiple keys are present.
 
 *Filebeat*
 

auditbeat/_meta/fields.common.yml

@@ -3,7 +3,121 @@
   description: >
     Contains common fields available in all event types.
   fields:
-    - name: event.module
+  - name: event.module
+    description: >
+      The name of the module that generated the event.
+
+  - name: event.action
+    type: keyword
+    example: logged-in
+    description: >
+      Action describes the change that triggered the event.
+
+      For the file integrity module the possible values are:
+      attributes_modified, created, deleted, updated, moved, and config_change.
+
+  - name: file
+    type: group
+    description: File attributes.
+    fields:
+    - name: path
+      type: text
+      description: The path to the file.
+      multi_fields:
+      - name: raw
+        type: keyword
+        description: >
+          The path to the file. This is a non-analyzed field that is useful
+          for aggregations.
+
+    - name: target_path
+      type: keyword
+      description: The target path for symlinks.
+
+    - name: type
+      type: keyword
+      description: The file type (file, dir, or symlink).
+
+    - name: device
+      type: keyword
+      description: The device.
+
+    - name: inode
+      type: keyword
+      description: The inode representing the file in the filesystem.
+
+    - name: uid
+      type: keyword
+      description: >
+        The user ID (UID) or security identifier (SID) of the file owner.
+
+    - name: owner
+      type: keyword
+      description: The file owner's username.
+
+    - name: gid
+      type: keyword
+      description: The primary group ID (GID) of the file.
+
+    - name: group
+      type: keyword
+      description: The primary group name of the file.
+
+    - name: mode
+      type: keyword
+      example: 0640
+      description: The mode of the file in octal representation.
+
+    - name: setuid
+      type: boolean
+      example: true
+      description: Set if the file has the `setuid` bit set. Omitted otherwise.
+
+    - name: setgid
+      type: boolean
+      example: true
+      description: Set if the file has the `setgid` bit set. Omitted otherwise.
+
+    - name: size
+      type: long
+      description: The file size in bytes (field is only added when `type` is `file`).
+
+    - name: mtime
+      type: date
+      description: The last modified time of the file (time when content was modified).
+
+    - name: ctime
+      type: date
+      description: The last change time of the file (time when metadata was changed).
+
+    - name: origin
+      type: text
       description: >
-        The name of the module that generated the event.
+          An array of strings describing a possible external origin for
+          this file. For example, the URL it was downloaded from. Only
+          supported in macOS, via the kMDItemWhereFroms attribute.
+          Omitted if origin information is not available.
+      multi_fields:
+      - name: raw
+        type: keyword
+        description: >
+          This is a non-analyzed field that is useful for aggregations on the
+          origin data.
 
+    - name: selinux
+      type: group
+      description: The SELinux identity of the file.
+      fields:
+      - name: user
+        type: keyword
+        description: The owner of the object.
+      - name: role
+        type: keyword
+        description: The object's SELinux role.
+      - name: domain
+        type: keyword
+        description: The object's SELinux domain or type.
+      - name: level
+        type: keyword
+        example: s0
+        description: The object's SELinux level.

auditbeat/auditbeat.reference.yml

@@ -52,8 +52,8 @@ auditbeat.modules:
     ## Executions.
     #-a always,exit -F arch=b64 -S execve,execveat -k exec
 
-    ## External access.
-    #-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
+    ## External access (warning: these can be expensive to audit).
+    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
 
     ## Identity changes.
     #-w /etc/group -p wa -k identity

auditbeat/auditbeat.yml

@@ -25,8 +25,8 @@ auditbeat.modules:
     ## Executions.
     #-a always,exit -F arch=b64 -S execve,execveat -k exec
 
-    ## External access.
-    #-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
+    ## External access (warning: these can be expensive to audit).
+    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
 
     ## Identity changes.
     #-w /etc/group -p wa -k identity