As a general rule, we strive to keep backwards compatibility between minor versions (e.g. 6.x to 6.y) so you can upgrade without any configuration file changes, but there are breaking changes between the earlier beta releases and the 6.2 GA release.
There are changes that affect both the configuration and the event schema.
kernel metricset has become the auditd module.
- module: audit metricsets: ["kernel"] kernel.resolve_ids: true kernel.failure_mode: silent kernel.backlog_limit: 8196 kernel.rate_limit: 0 kernel.include_raw_message: false kernel.include_warnings: false kernel.audit_rules: | # Rules
- module: auditd resolve_ids: true failure_mode: silent backlog_limit: 8196 rate_limit: 0 include_raw_message: false include_warnings: false audit_rules: | # Rules
file metricset has become the
- module: audit metricsets: [file] file.paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc file.scan_at_start: true file.scan_rate_per_sec: 50 MiB file.max_file_size: 100 MiB file.hash_types: [sha1]
Event Schema Changesedit
Most field names were changed in 6.2. We wanted to rename the modules and use common field names for similar data types across all the modules. The table below provides a summary of the field changes.
In Kibana you need to import the latest dashboards that work with the new event format. The new dashboards will not work with data produced by older versions of Auditbeat.
Table 1. Renamed Fields
|Old Field||New Field|
[a] Based on the syscall type either the
[b] Fields related to a process
will be moved under the
[c] Fields related to a file will be
moved under the