WARNING: Version 6.0 of Auditbeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« Drop fields from events Add Kubernetes metadata »
Elastic Docs Auditbeat Reference [6.0] Configuring Auditbeat Filter and enhance the exported data

Add additional fields to events

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Add additional fields to events

edit

The include_fields processor specifies which fields to export if a certain condition is fulfilled. The condition is optional. If it’s missing, the specified fields are always exported. The @timestamp and type fields are always exported, even if they are not defined in the include_fields list.

processors:
 - include_fields:
     when:
        condition
     fields: ["field1", "field2", ...]

See Conditions for a list of supported conditions.

You can specify multiple include_fields processors under the processors section.

If you define an empty list of fields under include_fields, then only the required fields, @timestamp and type, are exported.

« Drop fields from events Add Kubernetes metadata »