[Auditd Logs]: Pipeline failed to extract user.name and group.name from the log messages for group creation event

### Integration Name

Auditd Logs [packages/auditd]

### Dataset Name

auditd.log

### Integration Version

3.21.0

### Agent Version

8.16.5

### Agent Output Type

logstash

### Elasticsearch Version

9.3.3

### OS Version and Architecture

Oracle Linux Server (.x86_64)

### Software/API Version

N/A

### Error Message

We do not have any specific error message into parsed document, only the issue is when the logs are parsing through the default ingestion pipeline the group.name and user.name is not extracted for the group creation event even its present in the log entry.

### Event Original

type=ADD_GROUP msg=audit(1781533204.613:1308): pid=1234 uid=0 auid=1000000000 ses=10 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group id=2001 exe=\"/usr/sbin/groupadd\" hostname=sanitized-host-01.example.local addr=? terminal=pts/1 res=success'\u001dUID=\"root\" AUID=\"user123456\" ID=\"testgrp1001\"

### What did you do?

group.name and user.name to get populated, so here the value of **group.name should be testgrp1001** and **user.name should be user123456**

### What did you see?

``{
  "_index": ".ds-logs-auditd.log-prod-2026.06.13-000049",
  "_id": "VUCny54B_4FuPt3JfnCR",
  "_version": 1,
  "_source": {
    "agent": {
      "name": "sanitized-linux-host-01.example.local",
      "id": "11111111-2222-3333-4444-555555555555",
      "ephemeral_id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
      "type": "filebeat",
      "version": "8.16.5"
    },
    "process": {
      "pid": 5523,
      "executable": "/usr/sbin/groupadd"
    },
    "log": {
      "file": {
        "path": "/var/log/audit/audit.log"
      },
      "offset": 9259926
    },
    "elastic_agent": {
      "id": "11111111-2222-3333-4444-555555555555",
      "version": "8.16.5",
      "snapshot": false
    },
    "vertical": "cloud services",
    "collection": {
      "method": "elasticagent"
    },
    "auditd": {
      "log": {
        "ses": "29",
        "op": "add-group",
        "record_type": "ADD_GROUP",
        "sequence": 1308,
        "uid": "0",
        "UID": "root",
        "AUID": "user123456",
        "hostname": "sanitized-linux-host-01.example.local",
        "id": "1001",
        "ID": "testgrp1001",
        "subj": "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
      }
    },
    "tags": [
      "preserve_original_event",
      "auditd-log"
    ],
    "input": {
      "type": "log"
    },
    "logstash": {
      "pipeline": "lgp-app21968-logs-agent-prod",
      "hostname": "sanitized-logstash-01",
      "timestamp": "2026-06-15T14:20:12.266337Z"
    },
    "bt": {
      "appid": "app21968"
    },
    "@timestamp": "2026-06-15T14:20:04.613Z",
    "ecs": {
      "version": "8.11.0"
    },
    "data_stream": {
      "namespace": "prod",
      "type": "logs",
      "dataset": "auditd.log"
    },
    "kafka": {
      "partition": "1",
      "device": "empty"
    },
    "host": {
      "hostname": "sanitized-linux-host-01.example.local",
      "os": {
        "kernel": "5.14.0-000.00.0.el9_0.x86_64",
        "name": "Linux Server",
        "family": "redhat",
        "type": "linux",
        "version": "9.x",
        "platform": "linux"
      },
      "containerized": false,
      "ip": [
        "192.0.2.10"
      ],
      "name": "sanitized-linux-host-01.example.local",
      "id": "00000000000000000000000000000000",
      "mac": [
        "00-00-5E-00-53-01"
      ],
      "architecture": "x86_64"
    },
    "@version": "1",
    "event": {
      "agent_id_status": "auth_metadata_missing",
      "ingested": "2026-06-15T14:20:12Z",
      "original": "type=ADD_GROUP msg=audit(1781533204.613:1308): pid=5523 uid=0 auid=1359801150 ses=29 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group id=1001 exe=\"/usr/sbin/groupadd\" hostname=sanitized-linux-host-01.example.local addr=? terminal=pts/3 res=success'\u001dUID=\"root\" AUID=\"user123456\" ID=\"testgrp1001\"",
      "kind": "event",
      "action": [
        "added-group-account-to"
      ],
      "category": [
        "iam"
      ],
      "type": [
        "group",
        "creation"
      ],
      "dataset": "auditd.log",
      "outcome": "success"
    },
    "user": {
      "effective": {
        "id": "0"
      },
      "audit": {
        "id": "1359801150"
      },
      "id": "1359801150",
      "terminal": "pts/3"
    },
    "group": {
      "id": "1001"
    }
  },
  "fields": {
    "elastic_agent.version": [
      "8.16.5"
    ],
    "event.category": [
      "iam"
    ],
    "auditd.log.subj": [
      "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
    ],
    "host.os.name.text": [
      "Linux Server"
    ],
    "auditd.log.record_type": [
      "ADD_GROUP"
    ],
    "host.hostname": [
      "sanitized-linux-host-01.example.local"
    ],
    "process.pid": [
      5523
    ],
    "host.mac": [
      "00-00-5E-00-53-01"
    ],
    "logstash.pipeline": [
      "lgp-app21968-logs-agent-prod"
    ],
    "auditd.log.ID": [
      "testgrp1001"
    ],
    "auditd.log.id": [
      "1001"
    ],
    "agent.name.text": [
      "sanitized-linux-host-01.example.local"
    ],
    "host.os.version": [
      "9.x"
    ],
    "host.os.name": [
      "Linux Server"
    ],
    "agent.name": [
      "sanitized-linux-host-01.example.local"
    ],
    "auditd.log.hostname": [
      "sanitized-linux-host-01.example.local"
    ],
    "host.name": [
      "sanitized-linux-host-01.example.local"
    ],
    "event.agent_id_status": [
      "auth_metadata_missing"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "success"
    ],
    "event.original": [
      "type=ADD_GROUP msg=audit(1781533204.613:1308): pid=5523 uid=0 auid=1359801150 ses=29 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group id=1001 exe=\"/usr/sbin/groupadd\" hostname=sanitized-linux-host-01.example.local addr=? terminal=pts/3 res=success'\u001dUID=\"root\" AUID=\"user123456\" ID=\"testgrp1001\""
    ],
    "host.os.type": [
      "linux"
    ],
    "user.id": [
      "1359801150"
    ],
    "input.type": [
      "log"
    ],
    "log.offset": [
      9259926
    ],
    "data_stream.type": [
      "logs"
    ],
    "tags": [
      "preserve_original_event",
      "auditd-log"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "agent.id": [
      "11111111-2222-3333-4444-555555555555"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "host.containerized": [
      false
    ],
    "agent.version": [
      "8.16.5"
    ],
    "host.os.family": [
      "redhat"
    ],
    "user.terminal": [
      "pts/3"
    ],
    "auditd.log.uid": [
      "0"
    ],
    "group.id": [
      "1001"
    ],
    "user.audit.id": [
      "1359801150"
    ],
    "user.effective.id": [
      "0"
    ],
    "auditd.log.op": [
      "add-group"
    ],
    "vertical": [
      "cloud services"
    ],
    "auditd.log.ses": [
      "29"
    ],
    "logstash.hostname": [
      "sanitized-logstash-01"
    ],
    "logstash.timestamp": [
      "2026-06-15T14:20:12.266Z"
    ],
    "host.ip": [
      "192.0.2.10"
    ],
    "agent.type": [
      "filebeat"
    ],
    "process.executable.text": [
      "/usr/sbin/groupadd"
    ],
    "event.module": [
      "auditd"
    ],
    "host.os.kernel": [
      "5.14.0-000.00.0.el9_0.x86_64"
    ],
    "@version": [
      "1"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.id": [
      "00000000000000000000000000000000"
    ],
    "process.executable": [
      "/usr/sbin/groupadd"
    ],
    "auditd.log.UID": [
      "root"
    ],
    "kafka.partition": [
      "1"
    ],
    "elastic_agent.id": [
      "11111111-2222-3333-4444-555555555555"
    ],
    "data_stream.namespace": [
      "prod"
    ],
    "bt.appid": [
      "app21968"
    ],
    "event.action": [
      "added-group-account-to"
    ],
    "event.ingested": [
      "2026-06-15T14:20:12.000Z"
    ],
    "@timestamp": [
      "2026-06-15T14:20:04.613Z"
    ],
    "host.os.platform": [
      "linux"
    ],
    "data_stream.dataset": [
      "auditd.log"
    ],
    "event.type": [
      "group",
      "creation"
    ],
    "log.file.path": [
      "/var/log/audit/audit.log"
    ],
    "auditd.log.sequence": [
      1308
    ],
    "agent.ephemeral_id": [
      "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
    ],
    "collection.method": [
      "elasticagent"
    ],
    "auditd.log.AUID": [
      "user123456"
    ],
    "event.dataset": [
      "auditd.log"
    ],
    "kafka.device": [
      "empty"
    ]
  }
}

### What did you expect to see?

group.name and user.name to get populated, so here the value of **group.name should be testgrp1001** and **user.name should be user123456**

### Anything else?

NA

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Auditd Logs]: Pipeline failed to extract user.name and group.name from the log messages for group creation event #19632

Integration Name

Dataset Name

Integration Version

Agent Version

Agent Output Type

Elasticsearch Version

OS Version and Architecture

Software/API Version

Error Message

Event Original

What did you do?

What did you see?

What did you expect to see?

Anything else?

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[Auditd Logs]: Pipeline failed to extract user.name and group.name from the log messages for group creation event #19632

Description

Integration Name

Dataset Name

Integration Version

Agent Version

Agent Output Type

Elasticsearch Version

OS Version and Architecture

Software/API Version

Error Message

Event Original

What did you do?

What did you see?

What did you expect to see?

Anything else?

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions