From 71d2fb975d649c575999addd53808d379fb9e51a Mon Sep 17 00:00:00 2001
From: Andrew Kroh <andrew.kroh@elastic.co>
Date: Tue, 12 Dec 2017 10:15:50 -0500
Subject: [PATCH] Rename Auditbeat modules

This changes the audit.file and audit.kernel metricsets into modules
named file_integrity and auditd, respectively. This requires existing
users to update their configuration.

The dashboards need to be updated to account for these changes.

Closes #5422 (see the issue for more details)
---
 CHANGELOG.asciidoc                            |   3 +
 Vagrantfile                                   |  38 +-
 auditbeat/Makefile                            |   7 +-
 auditbeat/_meta/fields.common.yml             |  29 +-
 auditbeat/auditbeat.reference.yml             |  37 +-
 auditbeat/auditbeat.yml                       |  10 +-
 auditbeat/cmd/root.go                         |   9 +-
 auditbeat/core/eventmod.go                    |  16 +
 auditbeat/docs/fields.asciidoc                | 445 ++++-----
 auditbeat/docs/modules/audit.asciidoc         |  75 --
 auditbeat/docs/modules/audit/file.asciidoc    |  19 -
 auditbeat/docs/modules/audit/kernel.asciidoc  |  19 -
 auditbeat/docs/modules/auditd.asciidoc        | 222 +++++
 .../docs/modules/file_integrity.asciidoc      | 120 +++
 auditbeat/docs/modules_list.asciidoc          |   6 +-
 auditbeat/main.go                             |   6 +-
 auditbeat/module/audit/_meta/config.yml.tpl   |  91 --
 auditbeat/module/audit/_meta/docs.asciidoc    |   6 -
 auditbeat/module/audit/_meta/fields.yml       |  11 -
 auditbeat/module/audit/doc.go                 |   4 -
 auditbeat/module/audit/file/_meta/data.json   |  34 -
 auditbeat/module/audit/file/_meta/fields.yml  | 124 ---
 .../module/audit/kernel/_meta/fields.yml      | 859 -----------------
 .../module/audit/kernel/audit_unsupported.go  |  21 -
 auditbeat/module/audit/kernel/doc.go          |   3 -
 auditbeat/module/audit/module.yml             |  12 -
 auditbeat/module/auditd/_meta/config.yml.tpl  |  40 +
 .../{audit/kernel => auditd}/_meta/data.json  |  11 +-
 .../kernel => auditd}/_meta/docs.asciidoc     |  58 +-
 auditbeat/module/auditd/_meta/fields.yml      | 862 ++++++++++++++++++
 .../5.x/dashboard/AV0tXkjYg1PYniApZbKP.json   |   0
 .../visualization/AV0tV05vg1PYniApZbA2.json   |   0
 .../visualization/AV0tVcg6g1PYniApZa-v.json   |   0
 .../visualization/AV0tW0djg1PYniApZbGL.json   |   0
 .../visualization/AV0tWL-Yg1PYniApZbCs.json   |   0
 .../visualization/AV0tWSdXg1PYniApZbDU.json   |   0
 .../visualization/AV0tY6jwg1PYniApZbRY.json   |   0
 .../visualization/AV0tav8Ag1PYniApZbbK.json   |   0
 .../visualization/AV0tbcUdg1PYniApZbe1.json   |   0
 .../visualization/AV0tc_xZg1PYniApZbnL.json   |   0
 .../visualization/AV0te0TCg1PYniApZbw9.json   |   0
 .../visualization/AV0tes4Eg1PYniApZbwV.json   |   0
 .../dashboard/auditbeat-file-integrity.json   |   0
 .../auditbeat-kernel-executions.json          |   0
 .../dashboard/auditbeat-kernel-overview.json  |   0
 .../dashboard/auditbeat-kernel-sockets.json   |   0
 .../{audit/kernel => auditd}/audit_linux.go   |  81 +-
 .../kernel => auditd}/audit_linux_test.go     | 112 ++-
 auditbeat/module/auditd/audit_unsupported.go  |  22 +
 .../module/{audit/kernel => auditd}/config.go |  35 +-
 .../kernel => auditd}/config_linux_test.go    |   8 +-
 auditbeat/module/auditd/doc.go                |   3 +
 .../kernel => auditd}/mock_linux_test.go      |   2 +-
 auditbeat/module/auditd/module.yml            |   9 +
 .../file_integrity/_meta/config.yml.tpl       |  48 +
 .../module/file_integrity/_meta/data.json     |  30 +
 .../_meta/docs.asciidoc                       |  52 +-
 .../module/file_integrity/_meta/fields.yml    | 121 +++
 .../{audit/file => file_integrity}/action.go  |   2 +-
 .../{audit/file => file_integrity}/config.go  |  26 +-
 .../file => file_integrity}/config_test.go    |  26 +-
 .../{audit/file => file_integrity}/event.go   |  17 +-
 .../file => file_integrity}/event_test.go     |   2 +-
 .../eventreader_fsevents.go                   |   2 +-
 .../eventreader_fsnotify.go                   |   4 +-
 .../eventreader_test.go                       |   6 +-
 .../eventreader_unsupported.go                |   2 +-
 .../file => file_integrity}/fileinfo_bsd.go   |   2 +-
 .../file => file_integrity}/fileinfo_linux.go |   2 +-
 .../file => file_integrity}/fileinfo_posix.go |   2 +-
 .../file => file_integrity}/fileinfo_test.go  |   2 +-
 .../fileinfo_windows.go                       |   2 +-
 .../file => file_integrity}/flatbuffers.go    |   4 +-
 .../flatbuffers_test.go                       |   2 +-
 .../file => file_integrity}/metricset.go      |  50 +-
 .../file => file_integrity}/metricset_test.go |  70 +-
 auditbeat/module/file_integrity/module.yml    |   3 +
 .../monitor/filetree.go                       |   0
 .../monitor/filetree_test.go                  |   0
 .../monitor/monitor.go                        |   0
 .../monitor/monitor_test.go                   |   0
 .../monitor/nonrecursive.go                   |   0
 .../monitor/recursive.go                      |   0
 .../{audit/file => file_integrity}/scanner.go |   2 +-
 .../file => file_integrity}/scanner_test.go   |   2 +-
 .../{audit/file => file_integrity}/schema.fbs |   0
 .../file => file_integrity}/schema/Action.go  |   0
 .../file => file_integrity}/schema/Event.go   |   0
 .../file => file_integrity}/schema/Hash.go    |   0
 .../schema/Metadata.go                        |   0
 .../file => file_integrity}/schema/Source.go  |   0
 .../file => file_integrity}/schema/Type.go    |   0
 .../security_windows.go                       |   2 +-
 .../security_windows_test.go                  |   2 +-
 .../zsecurity_windows.go                      |   2 +-
 auditbeat/scripts/docs_collector.py           |  14 +-
 metricbeat/mb/testing/data_generator.go       |  22 +-
 97 files changed, 2106 insertions(+), 1886 deletions(-)
 create mode 100644 auditbeat/core/eventmod.go
 delete mode 100644 auditbeat/docs/modules/audit.asciidoc
 delete mode 100644 auditbeat/docs/modules/audit/file.asciidoc
 delete mode 100644 auditbeat/docs/modules/audit/kernel.asciidoc
 create mode 100644 auditbeat/docs/modules/auditd.asciidoc
 create mode 100644 auditbeat/docs/modules/file_integrity.asciidoc
 delete mode 100644 auditbeat/module/audit/_meta/config.yml.tpl
 delete mode 100644 auditbeat/module/audit/_meta/docs.asciidoc
 delete mode 100644 auditbeat/module/audit/_meta/fields.yml
 delete mode 100644 auditbeat/module/audit/doc.go
 delete mode 100644 auditbeat/module/audit/file/_meta/data.json
 delete mode 100644 auditbeat/module/audit/file/_meta/fields.yml
 delete mode 100644 auditbeat/module/audit/kernel/_meta/fields.yml
 delete mode 100644 auditbeat/module/audit/kernel/audit_unsupported.go
 delete mode 100644 auditbeat/module/audit/kernel/doc.go
 delete mode 100644 auditbeat/module/audit/module.yml
 create mode 100644 auditbeat/module/auditd/_meta/config.yml.tpl
 rename auditbeat/module/{audit/kernel => auditd}/_meta/data.json (86%)
 rename auditbeat/module/{audit/kernel => auditd}/_meta/docs.asciidoc (77%)
 create mode 100644 auditbeat/module/auditd/_meta/fields.yml
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/dashboard/AV0tXkjYg1PYniApZbKP.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/visualization/AV0tV05vg1PYniApZbA2.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/visualization/AV0tVcg6g1PYniApZa-v.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/visualization/AV0tW0djg1PYniApZbGL.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/visualization/AV0tWL-Yg1PYniApZbCs.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/visualization/AV0tWSdXg1PYniApZbDU.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/visualization/AV0tY6jwg1PYniApZbRY.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/visualization/AV0tav8Ag1PYniApZbbK.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/visualization/AV0tbcUdg1PYniApZbe1.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/visualization/AV0tc_xZg1PYniApZbnL.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/visualization/AV0te0TCg1PYniApZbw9.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/5.x/visualization/AV0tes4Eg1PYniApZbwV.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/default/dashboard/auditbeat-file-integrity.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/default/dashboard/auditbeat-kernel-executions.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/default/dashboard/auditbeat-kernel-overview.json (100%)
 rename auditbeat/module/{audit => auditd}/_meta/kibana/default/dashboard/auditbeat-kernel-sockets.json (100%)
 rename auditbeat/module/{audit/kernel => auditd}/audit_linux.go (85%)
 rename auditbeat/module/{audit/kernel => auditd}/audit_linux_test.go (60%)
 create mode 100644 auditbeat/module/auditd/audit_unsupported.go
 rename auditbeat/module/{audit/kernel => auditd}/config.go (65%)
 rename auditbeat/module/{audit/kernel => auditd}/config_linux_test.go (95%)
 create mode 100644 auditbeat/module/auditd/doc.go
 rename auditbeat/module/{audit/kernel => auditd}/mock_linux_test.go (99%)
 create mode 100644 auditbeat/module/auditd/module.yml
 create mode 100644 auditbeat/module/file_integrity/_meta/config.yml.tpl
 create mode 100644 auditbeat/module/file_integrity/_meta/data.json
 rename auditbeat/module/{audit/file => file_integrity}/_meta/docs.asciidoc (62%)
 create mode 100644 auditbeat/module/file_integrity/_meta/fields.yml
 rename auditbeat/module/{audit/file => file_integrity}/action.go (99%)
 rename auditbeat/module/{audit/file => file_integrity}/config.go (73%)
 rename auditbeat/module/{audit/file => file_integrity}/config_test.go (76%)
 rename auditbeat/module/{audit/file => file_integrity}/event.go (96%)
 rename auditbeat/module/{audit/file => file_integrity}/event_test.go (99%)
 rename auditbeat/module/{audit/file => file_integrity}/eventreader_fsevents.go (99%)
 rename auditbeat/module/{audit/file => file_integrity}/eventreader_fsnotify.go (95%)
 rename auditbeat/module/{audit/file => file_integrity}/eventreader_test.go (98%)
 rename auditbeat/module/{audit/file => file_integrity}/eventreader_unsupported.go (90%)
 rename auditbeat/module/{audit/file => file_integrity}/fileinfo_bsd.go (92%)
 rename auditbeat/module/{audit/file => file_integrity}/fileinfo_linux.go (91%)
 rename auditbeat/module/{audit/file => file_integrity}/fileinfo_posix.go (98%)
 rename auditbeat/module/{audit/file => file_integrity}/fileinfo_test.go (98%)
 rename auditbeat/module/{audit/file => file_integrity}/fileinfo_windows.go (99%)
 rename auditbeat/module/{audit/file => file_integrity}/flatbuffers.go (98%)
 rename auditbeat/module/{audit/file => file_integrity}/flatbuffers_test.go (98%)
 rename auditbeat/module/{audit/file => file_integrity}/metricset.go (82%)
 rename auditbeat/module/{audit/file => file_integrity}/metricset_test.go (58%)
 create mode 100644 auditbeat/module/file_integrity/module.yml
 rename auditbeat/module/{audit/file => file_integrity}/monitor/filetree.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/monitor/filetree_test.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/monitor/monitor.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/monitor/monitor_test.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/monitor/nonrecursive.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/monitor/recursive.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/scanner.go (99%)
 rename auditbeat/module/{audit/file => file_integrity}/scanner_test.go (99%)
 rename auditbeat/module/{audit/file => file_integrity}/schema.fbs (100%)
 rename auditbeat/module/{audit/file => file_integrity}/schema/Action.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/schema/Event.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/schema/Hash.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/schema/Metadata.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/schema/Source.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/schema/Type.go (100%)
 rename auditbeat/module/{audit/file => file_integrity}/security_windows.go (98%)
 rename auditbeat/module/{audit/file => file_integrity}/security_windows_test.go (97%)
 rename auditbeat/module/{audit/file => file_integrity}/zsecurity_windows.go (97%)

diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 79080f1b2a4..b6c982a2e0e 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -21,6 +21,9 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di
 *Auditbeat*
 
 - Changed `audit.file.path` to be a multi-field so that path is searchable. {pull}5625[5625]
+- Split the audit.kernel and audit.file metricsets into their own modules
+  named auditd and file_integrity, respectively. This change requires
+  existing users to update their config. {issue}5422[5422]
 
 *Filebeat*
 
diff --git a/Vagrantfile b/Vagrantfile
index 5a6950ffaf0..7c17d55b6dc 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -52,16 +52,19 @@ echo 'Creating github.com/elastic in the GOPATH'
 mkdir -p ~/go/src/github.com/elastic
 echo 'Symlinking /vagrant to ~/go/src/github.com/elastic'
 cd ~/go/src/github.com/elastic
-if [ -d "/vagrant" ]; then ln -s /vagrant beats; fi
+if [ -d "/vagrant" ]  && [ ! -e "beats" ]; then ln -s /vagrant beats; fi
 SCRIPT
 
 # Linux GVM
 $linuxGvmProvision = <<SCRIPT
 mkdir -p ~/bin
-curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.0.1/gvm-linux-amd64
-chmod +x ~/bin/gvm
-echo 'export PATH=~/bin:$PATH' >> ~/.bash_profile
-echo 'eval "$(gvm 1.9.2)"' >> ~/.bash_profile
+if [ ! -e "~/bin/gvm" ]; then
+  curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.0.5/gvm-linux-amd64
+  chmod +x ~/bin/gvm
+  echo 'export GOPATH=$HOME/go' >> ~/.bash_profile
+  echo 'export PATH=$HOME/bin:$GOPATH/bin:$PATH' >> ~/.bash_profile
+  echo 'eval "$(gvm 1.9.2)"' >> ~/.bash_profile
+fi
 SCRIPT
 
 Vagrant.configure(2) do |config|
@@ -119,16 +122,25 @@ Vagrant.configure(2) do |config|
     openbsd.vm.provision "shell", inline: $unixProvision, privileged: false
   end
 
-  # CentOS 7
-  config.vm.define "centos7", primary: true do |centos7|
-    #centos7.vm.box = "http://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1706_02.VirtualBox.box"
-    centos7.vm.box = "ubuntu/precise64"
-    centos7.vm.network :forwarded_port, guest: 22,   host: 2226,  id: "ssh", auto_correct: true
+  config.vm.define "precise64", primary: true do |c|
+    c.vm.box = "ubuntu/precise64"
+    c.vm.network :forwarded_port, guest: 22,   host: 2226,  id: "ssh", auto_correct: true
 
-    centos7.vm.provision "shell", inline: $unixProvision, privileged: false
-    centos7.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
+    c.vm.provision "shell", inline: $unixProvision, privileged: false
+    c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
 
-    centos7.vm.synced_folder ".", "/vagrant", type: "virtualbox"
+    c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
+  end
+
+  config.vm.define "fedora26", primary: true do |c|
+    c.vm.box = "bento/fedora-26"
+    c.vm.network :forwarded_port, guest: 22,   host: 2227,  id: "ssh", auto_correct: true
+
+    c.vm.provision "shell", inline: $unixProvision, privileged: false
+    c.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
+    config.vm.provision "shell", inline: "dnf install -y make gcc python-pip python-virtualenv git"
+
+    c.vm.synced_folder ".", "/vagrant", type: "virtualbox"
   end
 
 end
diff --git a/auditbeat/Makefile b/auditbeat/Makefile
index 84e18f01554..dd535a35f25 100644
--- a/auditbeat/Makefile
+++ b/auditbeat/Makefile
@@ -4,6 +4,7 @@ BEAT_DESCRIPTION=Audit the activities of users and processes on your system.
 SYSTEM_TESTS=false
 TEST_ENVIRONMENT=false
 GOX_OS?=linux windows ## @Building List of all OS to be supported by "make crosscompile".
+DEV_OS?=linux
 
 # Path to the libbeat Makefile
 -include ../libbeat/scripts/Makefile
@@ -49,17 +50,17 @@ collect: fields collect-docs configs kibana
 .PHONY: fields
 fields: python-env
 	@mkdir -p _meta
-	@cp ${ES_BEATS}/metricbeat/_meta/fields.common.yml _meta/fields.generated.yml
+	@cp _meta/fields.common.yml _meta/fields.generated.yml
 	@${PYTHON_ENV}/bin/python ${ES_BEATS}/metricbeat/scripts/fields_collector.py >> _meta/fields.generated.yml
 
 # Collects all module configs
 .PHONY: configs
 configs: python-env
 	@cat ${ES_BEATS}/auditbeat/_meta/common.p1.yml \
-	     <(go run scripts/generate_config.go -os linux -concat) \
+	     <(go run scripts/generate_config.go -os ${DEV_OS} -concat) \
 		 ${ES_BEATS}/auditbeat/_meta/common.p2.yml > _meta/beat.yml
 	@cat ${ES_BEATS}/auditbeat/_meta/common.reference.yml \
-	     <(go run scripts/generate_config.go -os linux -ref -concat) > _meta/beat.reference.yml
+	     <(go run scripts/generate_config.go -os ${DEV_OS} -ref -concat) > _meta/beat.reference.yml
 
 # Collects all module docs
 .PHONY: collect-docs
diff --git a/auditbeat/_meta/fields.common.yml b/auditbeat/_meta/fields.common.yml
index b47ccbd13aa..113f46b98d4 100644
--- a/auditbeat/_meta/fields.common.yml
+++ b/auditbeat/_meta/fields.common.yml
@@ -3,34 +3,7 @@
   description: >
     Contains common fields available in all event types.
   fields:
-
-    - name: metricset.module
+    - name: dataset.module
       description: >
         The name of the module that generated the event.
 
-    - name: metricset.name
-      description: >
-        The name of the metricset that generated the event.
-
-    - name: metricset.host
-      description: >
-        Hostname of the machine from which the metricset was collected. This
-        field may not be present when the data was collected locally.
-
-    - name: metricset.rtt
-      type: long
-      required: true
-      description: >
-        Event round trip time in microseconds.
-
-    - name: metricset.namespace
-      type: keyword
-      description: >
-        Namespace of dynamic metricsets.
-
-    - name: type
-      required: true
-      example: metricsets
-      description: >
-        The document type. Always set to "metricsets".
-
diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml
index 38a20fe5d52..5ee4ad9a9b7 100644
--- a/auditbeat/auditbeat.reference.yml
+++ b/auditbeat/auditbeat.reference.yml
@@ -29,17 +29,16 @@ auditbeat.max_start_delay: 10s
 #==========================  Modules configuration =============================
 auditbeat.modules:
 
-# The kernel metricset collects events from the audit framework in the Linux
+# The auditd module collects events from the audit framework in the Linux
 # kernel. You need to specify audit rules for the events that you want to audit.
-- module: audit
-  metricsets: [kernel]
-  kernel.resolve_ids: true
-  kernel.failure_mode: silent
-  kernel.backlog_limit: 8196
-  kernel.rate_limit: 0
-  kernel.include_raw_message: false
-  kernel.include_warnings: false
-  kernel.audit_rules: |
+- module: auditd
+  resolve_ids: true
+  failure_mode: silent
+  backlog_limit: 8196
+  rate_limit: 0
+  include_raw_message: false
+  include_warnings: false
+  audit_rules: |
     ## Define audit rules here.
     ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
     ## examples or add your own rules.
@@ -65,11 +64,10 @@ auditbeat.modules:
     #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
     #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
 
-# The file integrity metricset sends events when files are changed (created,
+# The file integrity module sends events when files are changed (created,
 # updated, deleted). The events contain file metadata and hashes.
-- module: audit
-  metricsets: [file]
-  file.paths:
+- module: file_integrity
+  paths:
   - /bin
   - /usr/bin
   - /sbin
@@ -78,22 +76,23 @@ auditbeat.modules:
   
   # Scan over the configured file paths at startup and send events for new or
   # modified files since the last time Auditbeat was running.
-  file.scan_at_start: true
+  scan_at_start: true
 
   # Average scan rate. This throttles the amount of CPU and I/O that Auditbeat
   # consumes at startup while scanning. Default is "50 MiB".
-  file.scan_rate_per_sec: 50 MiB
+  scan_rate_per_sec: 50 MiB
 
   # Limit on the size of files that will be hashed. Default is "100 MiB".
-  file.max_file_size: 100 MiB
+  # Limit on the size of files that will be hashed. Default is "100 MiB".
+  max_file_size: 100 MiB
 
   # Hash types to compute when the file changes. Supported types are md5, sha1,
   # sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256,
   # sha3_384 and sha3_512. Default is sha1.
-  file.hash_types: [sha1]
+  hash_types: [sha1]
 
   # Detect changes to files included in subdirectories. Disabled by default.
-  file.recursive: false
+  recursive: false
 
 
 #================================ General ======================================
diff --git a/auditbeat/auditbeat.yml b/auditbeat/auditbeat.yml
index e5c057e2ea5..ab304d73285 100644
--- a/auditbeat/auditbeat.yml
+++ b/auditbeat/auditbeat.yml
@@ -10,9 +10,8 @@
 #==========================  Modules configuration =============================
 auditbeat.modules:
 
-- module: audit
-  metricsets: [kernel]
-  kernel.audit_rules: |
+- module: auditd
+  audit_rules: |
     ## Define audit rules here.
     ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
     ## examples or add your own rules.
@@ -38,9 +37,8 @@ auditbeat.modules:
     #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
     #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
 
-- module: audit
-  metricsets: [file]
-  file.paths:
+- module: file_integrity
+  paths:
   - /bin
   - /usr/bin
   - /sbin
diff --git a/auditbeat/cmd/root.go b/auditbeat/cmd/root.go
index 9c8b7c483fc..bb85f61e145 100644
--- a/auditbeat/cmd/root.go
+++ b/auditbeat/cmd/root.go
@@ -5,7 +5,9 @@ import (
 
 	"github.com/elastic/beats/metricbeat/beater"
 
+	"github.com/elastic/beats/auditbeat/core"
 	cmd "github.com/elastic/beats/libbeat/cmd"
+	"github.com/elastic/beats/metricbeat/mb/module"
 )
 
 // Name of the beat (auditbeat).
@@ -15,6 +17,11 @@ const Name = "auditbeat"
 var RootCmd *cmd.BeatsRootCmd
 
 func init() {
+	create := beater.Creator(
+		beater.WithModuleOptions(
+			module.WithEventModifier(core.AddDatasetToEvent),
+		),
+	)
 	var runFlags = pflag.NewFlagSet(Name, pflag.ExitOnError)
-	RootCmd = cmd.GenRootCmdWithRunFlags(Name, "", beater.DefaultCreator(), runFlags)
+	RootCmd = cmd.GenRootCmdWithRunFlags(Name, "", create, runFlags)
 }
diff --git a/auditbeat/core/eventmod.go b/auditbeat/core/eventmod.go
new file mode 100644
index 00000000000..fe4a166cb33
--- /dev/null
+++ b/auditbeat/core/eventmod.go
@@ -0,0 +1,16 @@
+package core
+
+import (
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/metricbeat/mb"
+)
+
+// AddDatasetToEvent adds dataset information to the event. In particular this
+// adds the module name under dataset.module.
+func AddDatasetToEvent(module, metricSet string, event *mb.Event) {
+	if event.RootFields == nil {
+		event.RootFields = common.MapStr{}
+	}
+
+	event.RootFields.Put("dataset.module", module)
+}
diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
index 1f7b38492c5..58aa0cdcbe2 100644
--- a/auditbeat/docs/fields.asciidoc
+++ b/auditbeat/docs/fields.asciidoc
@@ -12,241 +12,16 @@ This file is generated! See _meta/fields.yml and scripts/generate_field_docs.py
 This document describes the fields that are exported by Auditbeat. They are
 grouped in the following categories:
 
-* <<exported-fields-audit>>
+* <<exported-fields-auditd>>
 * <<exported-fields-beat>>
 * <<exported-fields-cloud>>
 * <<exported-fields-common>>
 * <<exported-fields-docker-processor>>
+* <<exported-fields-file_integrity>>
 * <<exported-fields-kubernetes-processor>>
 
 --
-[[exported-fields-audit]]
-== Audit fields
-
-The `audit` module reports security-relevant information based on data captured from the operating system (OS) or services running on the OS.
-
-
-
-[float]
-== audit fields
-
-
-
-
-[float]
-== file fields
-
-The file metricset generates events when a file changes on disk.
-
-
-
-[float]
-=== `audit.file.path`
-
-type: text
-
-The path to the file.
-
-[float]
-=== `audit.file.path.raw`
-
-type: keyword
-
-The path to the file. This is an non-analyzed field that is useful for aggregations.
-
-
-[float]
-=== `audit.file.target_path`
-
-type: keyword
-
-The target path for symlinks.
-
-[float]
-=== `audit.file.action`
-
-type: keyword
-
-example: attributes_modified
-
-Action describes the change that triggered the event. The possible values are: attributes_modified, created, deleted, updated, moved, and config_change.
-
-
-[float]
-=== `audit.file.type`
-
-type: keyword
-
-The file type (file, dir, or symlink).
-
-[float]
-=== `audit.file.inode`
-
-type: keyword
-
-The inode representing the file in the filesystem.
-
-[float]
-=== `audit.file.uid`
-
-type: keyword
-
-The user ID (UID) of the file owner.
-
-[float]
-=== `audit.file.owner`
-
-type: keyword
-
-The file owner's username.
-
-[float]
-=== `audit.file.gid`
-
-type: keyword
-
-The primary group ID (GID) of the file.
-
-[float]
-=== `audit.file.group`
-
-type: keyword
-
-The primary group name of the file.
-
-[float]
-=== `audit.file.sid`
-
-type: keyword
-
-The security identifier (SID) of the file owner (Windows only).
-
-[float]
-=== `audit.file.mode`
-
-type: keyword
-
-example: 416
-
-The mode of the file in octal representation.
-
-[float]
-=== `audit.file.size`
-
-type: long
-
-The file size in bytes (field is only added when `type` is `file`).
-
-[float]
-=== `audit.file.mtime`
-
-type: date
-
-The last modified time of the file (time when content was modified).
-
-[float]
-=== `audit.file.ctime`
-
-type: date
-
-The last change time of the file (time when metadata was changed).
-
-[float]
-=== `audit.file.hashed`
-
-type: boolean
-
-Boolean indicating if the event includes any file hashes.
-
-
-[float]
-=== `audit.file.md5`
-
-type: keyword
-
-MD5 hash of the file.
-
-[float]
-=== `audit.file.sha1`
-
-type: keyword
-
-SHA1 hash of the file.
-
-[float]
-=== `audit.file.sha224`
-
-type: keyword
-
-SHA224 hash of the file.
-
-[float]
-=== `audit.file.sha256`
-
-type: keyword
-
-SHA256 hash of the file.
-
-[float]
-=== `audit.file.sha384`
-
-type: keyword
-
-SHA384 hash of the file.
-
-[float]
-=== `audit.file.sha3_224`
-
-type: keyword
-
-SHA3_224 hash of the file.
-
-[float]
-=== `audit.file.sha3_256`
-
-type: keyword
-
-SHA3_256 hash of the file.
-
-[float]
-=== `audit.file.sha3_384`
-
-type: keyword
-
-SHA3_384 hash of the file.
-
-[float]
-=== `audit.file.sha3_512`
-
-type: keyword
-
-SHA3_512 hash of the file.
-
-[float]
-=== `audit.file.sha512`
-
-type: keyword
-
-SHA512 hash of the file.
-
-[float]
-=== `audit.file.sha512_224`
-
-type: keyword
-
-SHA512/224 hash of the file.
-
-[float]
-=== `audit.file.sha512_256`
-
-type: keyword
-
-SHA512/256 hash of the file.
-
-[float]
-== kernel fields
-
-The kernel metricset distributes audit events received from the Linux Audit Framework that is a part of the Linux kernel.
+[[exported-fields-auditd]]
 
 
 
@@ -2313,91 +2088,249 @@ Contains common fields available in all event types.
 
 
 [float]
-=== `metricset.module`
+=== `dataset.module`
 
 The name of the module that generated the event.
 
 
+[[exported-fields-docker-processor]]
+== Docker fields
+
+beta[]
+Docker stats collected from Docker.
+
+
+
+
 [float]
-=== `metricset.name`
+=== `docker.container.id`
+
+type: keyword
+
+Unique container id.
+
+
+[float]
+=== `docker.container.image`
 
-The name of the metricset that generated the event.
+type: keyword
+
+Name of the image the container was built on.
 
 
 [float]
-=== `metricset.host`
+=== `docker.container.name`
 
-Hostname of the machine from which the metricset was collected. This field may not be present when the data was collected locally.
+type: keyword
+
+Container name.
 
 
 [float]
-=== `metricset.rtt`
+=== `docker.container.labels`
 
-type: long
+type: object
+
+Image labels.
 
-required: True
 
-Event round trip time in microseconds.
+[[exported-fields-file_integrity]]
+
 
 
 [float]
-=== `metricset.namespace`
+=== `audit.file.path`
 
 type: keyword
 
-Namespace of dynamic metricsets.
+The path to the file.
 
+[float]
+=== `audit.file.target_path`
+
+type: keyword
+
+The target path for symlinks.
 
 [float]
-=== `type`
+=== `audit.file.action`
 
-example: metricsets
+type: keyword
 
-required: True
+example: attributes_modified
 
-The document type. Always set to "metricsets".
+Action describes the change that triggered the event. The possible values are: attributes_modified, created, deleted, updated, moved, and config_change.
 
 
-[[exported-fields-docker-processor]]
-== Docker fields
+[float]
+=== `audit.file.type`
 
-beta[]
-Docker stats collected from Docker.
+type: keyword
+
+The file type (file, dir, or symlink).
 
+[float]
+=== `audit.file.inode`
 
+type: keyword
 
+The inode representing the file in the filesystem.
 
 [float]
-=== `docker.container.id`
+=== `audit.file.uid`
 
 type: keyword
 
-Unique container id.
+The user ID (UID) of the file owner.
 
+[float]
+=== `audit.file.owner`
+
+type: keyword
+
+The file owner's username.
 
 [float]
-=== `docker.container.image`
+=== `audit.file.gid`
 
 type: keyword
 
-Name of the image the container was built on.
+The primary group ID (GID) of the file.
 
+[float]
+=== `audit.file.group`
+
+type: keyword
+
+The primary group name of the file.
 
 [float]
-=== `docker.container.name`
+=== `audit.file.sid`
 
 type: keyword
 
-Container name.
+The security identifier (SID) of the file owner (Windows only).
+
+[float]
+=== `audit.file.mode`
+
+type: keyword
 
+example: 416
+
+The mode of the file in octal representation.
 
 [float]
-=== `docker.container.labels`
+=== `audit.file.size`
 
-type: object
+type: long
 
-Image labels.
+The file size in bytes (field is only added when `type` is `file`).
 
+[float]
+=== `audit.file.mtime`
+
+type: date
+
+The last modified time of the file (time when content was modified).
+
+[float]
+=== `audit.file.ctime`
+
+type: date
+
+The last change time of the file (time when metadata was changed).
+
+[float]
+=== `audit.file.hashed`
+
+type: boolean
+
+Boolean indicating if the event includes any file hashes.
+
+[float]
+=== `audit.file.md5`
+
+type: keyword
+
+MD5 hash of the file.
+
+[float]
+=== `audit.file.sha1`
+
+type: keyword
+
+SHA1 hash of the file.
+
+[float]
+=== `audit.file.sha224`
+
+type: keyword
+
+SHA224 hash of the file.
+
+[float]
+=== `audit.file.sha256`
+
+type: keyword
+
+SHA256 hash of the file.
+
+[float]
+=== `audit.file.sha384`
+
+type: keyword
+
+SHA384 hash of the file.
+
+[float]
+=== `audit.file.sha3_224`
+
+type: keyword
+
+SHA3_224 hash of the file.
+
+[float]
+=== `audit.file.sha3_256`
+
+type: keyword
+
+SHA3_256 hash of the file.
+
+[float]
+=== `audit.file.sha3_384`
+
+type: keyword
+
+SHA3_384 hash of the file.
+
+[float]
+=== `audit.file.sha3_512`
+
+type: keyword
+
+SHA3_512 hash of the file.
+
+[float]
+=== `audit.file.sha512`
+
+type: keyword
+
+SHA512 hash of the file.
+
+[float]
+=== `audit.file.sha512_224`
+
+type: keyword
+
+SHA512/224 hash of the file.
+
+[float]
+=== `audit.file.sha512_256`
+
+type: keyword
+
+SHA512/256 hash of the file.
 
 [[exported-fields-kubernetes-processor]]
 == Kubernetes fields
diff --git a/auditbeat/docs/modules/audit.asciidoc b/auditbeat/docs/modules/audit.asciidoc
deleted file mode 100644
index 231ead1b456..00000000000
--- a/auditbeat/docs/modules/audit.asciidoc
+++ /dev/null
@@ -1,75 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-[id="{beatname_lc}-module-audit"]
-== Audit Module
-
-The `audit` module reports security-relevant information based on data captured
-from the operating system (OS) or services running on the OS. Although this
-feature doesn’t provide additional security to your system, it does make it
-easier for you to discover and track security policy violations.
-
-
-[float]
-=== Example configuration
-
-The Audit module supports the common configuration options that are
-described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
-is an example configuration:
-
-[source,yaml]
-----
-auditbeat.modules:
-- module: audit
-  metricsets: [kernel]
-  kernel.audit_rules: |
-    ## Define audit rules here.
-    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
-    ## examples or add your own rules.
-
-    ## If you are on a 64 bit platform, everything should be running
-    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
-    ## because this might be a sign of someone exploiting a hole in the 32
-    ## bit API.
-    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
-
-    ## Executions.
-    #-a always,exit -F arch=b64 -S execve,execveat -k exec
-
-    ## External access.
-    #-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
-
-    ## Identity changes.
-    #-w /etc/group -p wa -k identity
-    #-w /etc/passwd -p wa -k identity
-    #-w /etc/gshadow -p wa -k identity
-
-    ## Unauthorized access attempts.
-    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
-
-- module: audit
-  metricsets: [file]
-  file.paths:
-  - /bin
-  - /usr/bin
-  - /sbin
-  - /usr/sbin
-  - /etc
-  
-----
-
-[float]
-=== Metricsets
-
-The following metricsets are available:
-
-* <<{beatname_lc}-metricset-audit-file,file>>
-
-* <<{beatname_lc}-metricset-audit-kernel,kernel>>
-
-include::audit/file.asciidoc[]
-
-include::audit/kernel.asciidoc[]
-
diff --git a/auditbeat/docs/modules/audit/file.asciidoc b/auditbeat/docs/modules/audit/file.asciidoc
deleted file mode 100644
index 7bd083049ab..00000000000
--- a/auditbeat/docs/modules/audit/file.asciidoc
+++ /dev/null
@@ -1,19 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-[id="{beatname_lc}-metricset-audit-file"]
-include::../../../module/audit/file/_meta/docs.asciidoc[]
-
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-audit,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/audit/file/_meta/data.json[]
-----
diff --git a/auditbeat/docs/modules/audit/kernel.asciidoc b/auditbeat/docs/modules/audit/kernel.asciidoc
deleted file mode 100644
index 19d56b091a2..00000000000
--- a/auditbeat/docs/modules/audit/kernel.asciidoc
+++ /dev/null
@@ -1,19 +0,0 @@
-////
-This file is generated! See scripts/docs_collector.py
-////
-
-[id="{beatname_lc}-metricset-audit-kernel"]
-include::../../../module/audit/kernel/_meta/docs.asciidoc[]
-
-
-==== Fields
-
-For a description of each field in the metricset, see the
-<<exported-fields-audit,exported fields>> section.
-
-Here is an example document generated by this metricset:
-
-[source,json]
-----
-include::../../../module/audit/kernel/_meta/data.json[]
-----
diff --git a/auditbeat/docs/modules/auditd.asciidoc b/auditbeat/docs/modules/auditd.asciidoc
new file mode 100644
index 00000000000..aeab4fc38fa
--- /dev/null
+++ b/auditbeat/docs/modules/auditd.asciidoc
@@ -0,0 +1,222 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[id="{beatname_lc}-module-auditd"]
+=== Auditd Module
+
+The `auditd` module receives audit events from the Linux Audit Framework that
+is a part of the Linux kernel.
+
+This module is available only for Linux.
+
+[float]
+=== How it works
+
+This module establishes a subscription to the kernel to receive the events
+as they occur. So unlike most other modules, the `period` configuration
+option is unused because it is not implemented using polling.
+
+The Linux Audit Framework can send multiple messages for a single auditable
+event. For example, a `rename` syscall causes the kernel to send eight separate
+messages. Each message describes a different aspect of the activity that is
+occurring (the syscall itself, file paths, current working directory, process
+title). This module will combine all of the data from each of the messages
+into a single event.
+
+Messages for one event can be interleaved with messages from another event. This
+module will buffer the messages in order to combine related messages into a
+single event even if they arrive interleaved or out of order.
+
+[float]
+=== Useful commands
+
+When running {beatname_uc} with the `auditd` module enabled, you might find
+that other monitoring tools interfere with {beatname_uc}.
+
+For example, you might encounter errors if another process, such as `auditd`, is
+registered to receive data from the Linux Audit Framework. You can use these
+commands to see if the `auditd` service is running and stop it:
+
+* See if `auditd` is running:
++
+[source,shell]
+-----
+service auditd status
+-----
+
+* Stop the `auditd` service:
++
+[source,shell]
+-----
+service auditd stop
+-----
+
+* Disable `auditd` from starting on boot:
++
+[source,shell]
+-----
+chkconfig auditd off
+-----
+
+To save CPU usage and disk space, you can use this command to stop `journald`
+from listening to audit messages:
+
+[source,shell]
+-----
+systemctl mask systemd-journald-audit.socket
+-----
+
+
+[float]
+=== Configuration options
+
+This module has some configuration options for tuning its behavior. The
+following example shows all configuration options with their default values.
+
+[source,yaml]
+----
+- module: auditd
+  resolve_ids: true
+  failure_mode: silent
+  backlog_limit: 8196
+  rate_limit: 0
+  include_raw_message: false
+  include_warnings: false
+----
+
+*`socket_type`*:: This optional setting controls the type of
+socket that {beatname_uc} uses to receive events from the kernel. The two
+options are `unicast` and `multicast`.
++
+`unicast` should be used when {beatname_uc} is the primary userspace daemon for
+receiving audit events and managing the rules. Only a single process can receive
+audit events through the "unicast" connection so any other daemons should be
+stopped (e.g. stop `auditd`).
++
+`multicast` can be used in kernel versions 3.16 and newer. By using `multicast`
+{beatname_uc} will receive an audit event broadcast that is not exclusive to a
+a single process. This is ideal for situations where `auditd` is running and
+managing the rules. If `multicast` is specified, but the kernel version is less
+than 3.16 {beatname_uc} will automatically revert to `unicast`.
++
+By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
+newer and no rules have been defined. Otherwise `unicast` will be used.
+
+*`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
+GIDs to their associated names. The default value is true.
+
+*`failure_mode`*:: This determines the kernel's behavior on critical
+failures such as errors sending events to {beatname_uc}, the backlog limit was
+exceeded, the kernel ran out of memory, or the rate limit was exceeded. The
+options are `silent`, `log`, or `panic`. `silent` basically makes the kernel
+ignore the errors, `log` makes the kernel write the audit messages using
+`printk` so they show up in system's syslog, and `panic` causes the kernel to
+panic to prevent use of the machine. {beatname_uc}'s default is `silent`.
+
+*`backlog_limit`*:: This controls the maximum number of audit messages
+that will be buffered by the kernel.
+
+*`rate_limit`*:: This sets a rate limit on the number of messages/sec
+delivered by the kernel. The default is 0, which disables rate limiting.
+Changing this value to anything other than zero can cause messages to be lost.
+The preferred approach to reduce the messaging rate is be more selective in the
+audit ruleset.
+
+*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
+include each of the raw messages that contributed to the event in the document
+as a field called `messages`. The default value is false. This setting is
+primarily used for development and debugging purposes.
+
+*`include_warnings`*:: This boolean setting causes {beatname_uc} to
+include as warnings any issues that were encountered while parsing the raw
+messages. The default value is false. When this setting is enabled the raw
+messages will be included in the event regardless of the
+`include_raw_message` config setting. This setting is primarily used for
+development and debugging purposes.
+
+*`audit_rules`*:: A string containing the audit rules that should be
+installed to the kernel. There should be one rule per line. Comments can be
+embedded in the string using `#` as a prefix. The format for rules is the same
+used by the Linux `auditctl` utility. {beatname_uc} supports adding file watches
+(`-w`) and syscall rules (`-a` or `-A`).
+
+[float]
+=== Audit rules
+
+The audit rules are where you configure the activities that are audited. These
+rules are configured as either syscalls or files that should be monitored. For
+example you can track all `connect` syscalls or file system writes to
+`/etc/passwd`.
+
+Auditing a large number of syscalls can place a heavy load on the system so
+consider carefully the rules you define and try to apply filters in the rules
+themselves to be as selective as possible.
+
+The kernel evaluates the rules in the order in which they were defined so place
+the most active rules first in order to speed up evaluation.
+
+You can assign keys to each rule for better identification of the rule that
+triggered an event and easier filtering later in Elasticsearch.
+
+Defining any audit rules in the config causes {beatname_uc} to purge all
+existing audit rules prior to adding the rules specified in the config.
+Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
+
+["source","sh",subs="attributes"]
+----
+{beatname_lc}.modules:
+- module: auditd
+  audit_rules: |
+    # Things that affect identity.
+    -w /etc/group -p wa -k identity
+    -w /etc/passwd -p wa -k identity
+    -w /etc/gshadow -p wa -k identity
+    -w /etc/shadow -p wa -k identity
+
+    # Unauthorized access attempts to files (unsuccessful).
+    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+    -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+    -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+----
+
+
+[float]
+=== Example configuration
+
+The Auditd module supports the common configuration options that are
+described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
+is an example configuration:
+
+[source,yaml]
+----
+auditbeat.modules:
+- module: auditd
+  audit_rules: |
+    ## Define audit rules here.
+    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+    ## examples or add your own rules.
+
+    ## If you are on a 64 bit platform, everything should be running
+    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+    ## because this might be a sign of someone exploiting a hole in the 32
+    ## bit API.
+    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+    ## Executions.
+    #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+    ## External access.
+    #-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
+
+    ## Identity changes.
+    #-w /etc/group -p wa -k identity
+    #-w /etc/passwd -p wa -k identity
+    #-w /etc/gshadow -p wa -k identity
+
+    ## Unauthorized access attempts.
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+----
+
diff --git a/auditbeat/docs/modules/file_integrity.asciidoc b/auditbeat/docs/modules/file_integrity.asciidoc
new file mode 100644
index 00000000000..c5471a2c107
--- /dev/null
+++ b/auditbeat/docs/modules/file_integrity.asciidoc
@@ -0,0 +1,120 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[id="{beatname_lc}-module-file_integrity"]
+=== File Integrity Module
+
+The `file_integrity` module sends events when a file is changed (created,
+updated, or deleted) on disk. The events contain file metadata and hashes.
+
+The module is implemented for Linux, macOS (Darwin), and Windows.
+
+[float]
+=== How it works
+
+This module uses features of the operating system to monitor file changes in
+realtime. When the module starts it creates a subscription with the OS to
+receive notifications of changes to the specified files or directories. Upon
+receiving notification of a change the module will read the file's metadata
+and the compute a hash of the file's contents.
+
+At startup this module will perform an initial scan of the configured files
+and directories to generate baseline data for the monitored paths and detect
+changes since the last time it was run. It uses locally persisted data in order
+to only send events for new or modified files.
+
+The operating system features that power this feature are as follows.
+
+* Linux - `inotify` is used, and therefore the kernel must have inotify support.
+Inotify was initially merged into the 2.6.13 Linux kernel.
+* macOS (Darwin) - Uses the `FSEvents` API, present since macOS 10.5. This API
+coalesces multiple changes to a file into a single event. {beatname_uc} translates
+this coalesced changes into a meaningful sequence of actions. However,
+in rare situations the reported events may have a different ordering than what
+actually happened.
+* Windows - `ReadDirectoryChangesW` is used.
+
+The file integrity module should not be used to monitor paths on network file
+systems.
+
+[float]
+=== Configuration options
+
+This module has some configuration options for tuning its behavior. The
+following example shows all configuration options with their default values for
+Linux.
+
+[source,yaml]
+----
+- module: file_integrity
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+  scan_at_start: true
+  scan_rate_per_sec: 50 MiB
+  max_file_size: 100 MiB
+  hash_types: [sha1]
+  recursive: false
+----
+
+*`paths`*:: A list of paths (directories or files) to watch. Globs are
+not supported. The specified paths should exist when the metricset is started.
+
+*`scan_at_start`*:: A boolean value that controls if {beatname_uc} scans
+over the configured file paths at startup and send events for the files
+that have been modified since the last time {beatname_uc} was running. The
+default value is true.
++
+This feature depends on data stored locally in `path.data` in order to determine
+if a file has changed. The first time {beatname_uc} runs it will send an event
+for each file it encounters.
+
+*`scan_rate_per_sec`*:: When `scan_at_start` is enabled this sets an
+average read rate defined in bytes per second for the initial scan. This
+throttles the amount of CPU and I/O that {beatname_uc} consumes at startup.
+The default value is "50 MiB". Setting the value to "0" disables throttling.
+For convenience units can be specified as a suffix to the value. The supported
+units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`,
+`pib`, `pb`, `eib`, and `eb`.
+
+*`max_file_size`*:: The maximum size of a file in bytes for which
+{beatname_uc} will compute hashes. Files larger than this size will not be
+hashed. The default value is 100 MiB. For convenience units can be specified as
+a suffix to the value. The supported units are `b` (default), `kib`, `kb`, `mib`,
+`mb`, `gib`, `gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
+
+*`hash_types`*:: A list of hash types to compute when the file changes.
+The supported hash types are md5, sha1, sha224, sha256, sha384, sha512,
+sha512_224, sha512_256, sha3_224, sha3_256, sha3_384 and sha3_512. The default
+value is sha1.
+
+*`recursive`*:: By default, the watches set to the paths specified in
+`paths` are not recursive. This means that only changes to the contents
+of this directories are watched. If `recursive` is set to `true`, the file
+metric will watch for changes on this directories and all their subdirectories.
+
+
+[float]
+=== Example configuration
+
+The File Integrity module supports the common configuration options that are
+described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
+is an example configuration:
+
+[source,yaml]
+----
+auditbeat.modules:
+- module: file_integrity
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+  
+----
+
diff --git a/auditbeat/docs/modules_list.asciidoc b/auditbeat/docs/modules_list.asciidoc
index 01bcb8f8f0b..84c110b16c3 100644
--- a/auditbeat/docs/modules_list.asciidoc
+++ b/auditbeat/docs/modules_list.asciidoc
@@ -2,9 +2,11 @@
 This file is generated! See scripts/docs_collector.py
 ////
 
-  * <<{beatname_lc}-module-audit,Audit>>
+  * <<{beatname_lc}-module-auditd,Auditd>>
+  * <<{beatname_lc}-module-file_integrity,File Integrity>>
 
 
 --
 
-include::modules/audit.asciidoc[]
+include::modules/auditd.asciidoc[]
+include::modules/file_integrity.asciidoc[]
diff --git a/auditbeat/main.go b/auditbeat/main.go
index 9b1a073d7ec..505e611ac8c 100644
--- a/auditbeat/main.go
+++ b/auditbeat/main.go
@@ -5,9 +5,9 @@ import (
 
 	"github.com/elastic/beats/auditbeat/cmd"
 
-	_ "github.com/elastic/beats/auditbeat/module/audit"
-	_ "github.com/elastic/beats/auditbeat/module/audit/file"
-	_ "github.com/elastic/beats/auditbeat/module/audit/kernel"
+	// Register modules.
+	_ "github.com/elastic/beats/auditbeat/module/auditd"
+	_ "github.com/elastic/beats/auditbeat/module/file_integrity"
 )
 
 func main() {
diff --git a/auditbeat/module/audit/_meta/config.yml.tpl b/auditbeat/module/audit/_meta/config.yml.tpl
deleted file mode 100644
index d501f05d035..00000000000
--- a/auditbeat/module/audit/_meta/config.yml.tpl
+++ /dev/null
@@ -1,91 +0,0 @@
-{{ if eq .goos "linux" -}}
-{{ if .reference -}}
-# The kernel metricset collects events from the audit framework in the Linux
-# kernel. You need to specify audit rules for the events that you want to audit.
-{{ end -}}
-- module: audit
-  metricsets: [kernel]
-  {{ if .reference -}}
-  kernel.resolve_ids: true
-  kernel.failure_mode: silent
-  kernel.backlog_limit: 8196
-  kernel.rate_limit: 0
-  kernel.include_raw_message: false
-  kernel.include_warnings: false
-  {{ end -}}
-  kernel.audit_rules: |
-    ## Define audit rules here.
-    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
-    ## examples or add your own rules.
-
-    ## If you are on a 64 bit platform, everything should be running
-    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
-    ## because this might be a sign of someone exploiting a hole in the 32
-    ## bit API.
-    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
-
-    ## Executions.
-    #-a always,exit -F arch=b64 -S execve,execveat -k exec
-
-    ## External access.
-    #-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
-
-    ## Identity changes.
-    #-w /etc/group -p wa -k identity
-    #-w /etc/passwd -p wa -k identity
-    #-w /etc/gshadow -p wa -k identity
-
-    ## Unauthorized access attempts.
-    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
-
-{{ end -}}
-
-{{ if .reference -}}
-# The file integrity metricset sends events when files are changed (created,
-# updated, deleted). The events contain file metadata and hashes.
-{{ end -}}
-- module: audit
-  metricsets: [file]
-  {{ if eq .goos "darwin" -}}
-  file.paths:
-  - /bin
-  - /usr/bin
-  - /usr/local/bin
-  - /sbin
-  - /usr/sbin
-  - /usr/local/sbin
-  {{ else if eq .goos "windows" -}}
-  file.paths:
-  - C:/windows
-  - C:/windows/system32
-  - C:/Program Files
-  - C:/Program Files (x86)
-  {{ else -}}
-  file.paths:
-  - /bin
-  - /usr/bin
-  - /sbin
-  - /usr/sbin
-  - /etc
-  {{ end -}}
-  {{ if .reference }}
-  # Scan over the configured file paths at startup and send events for new or
-  # modified files since the last time Auditbeat was running.
-  file.scan_at_start: true
-
-  # Average scan rate. This throttles the amount of CPU and I/O that Auditbeat
-  # consumes at startup while scanning. Default is "50 MiB".
-  file.scan_rate_per_sec: 50 MiB
-
-  # Limit on the size of files that will be hashed. Default is "100 MiB".
-  file.max_file_size: 100 MiB
-
-  # Hash types to compute when the file changes. Supported types are md5, sha1,
-  # sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256,
-  # sha3_384 and sha3_512. Default is sha1.
-  file.hash_types: [sha1]
-
-  # Detect changes to files included in subdirectories. Disabled by default.
-  file.recursive: false
-  {{- end }}
diff --git a/auditbeat/module/audit/_meta/docs.asciidoc b/auditbeat/module/audit/_meta/docs.asciidoc
deleted file mode 100644
index e3ac64110dc..00000000000
--- a/auditbeat/module/audit/_meta/docs.asciidoc
+++ /dev/null
@@ -1,6 +0,0 @@
-== Audit Module
-
-The `audit` module reports security-relevant information based on data captured
-from the operating system (OS) or services running on the OS. Although this
-feature doesn’t provide additional security to your system, it does make it
-easier for you to discover and track security policy violations.
diff --git a/auditbeat/module/audit/_meta/fields.yml b/auditbeat/module/audit/_meta/fields.yml
deleted file mode 100644
index 89047c5a178..00000000000
--- a/auditbeat/module/audit/_meta/fields.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-- key: audit
-  title: Audit
-  short_config: true
-  description: >
-    The `audit` module reports security-relevant information based on data
-    captured from the operating system (OS) or services running on the OS.
-  fields:
-    - name: audit
-      type: group
-      description: >
-      fields:
diff --git a/auditbeat/module/audit/doc.go b/auditbeat/module/audit/doc.go
deleted file mode 100644
index ab5e38e570b..00000000000
--- a/auditbeat/module/audit/doc.go
+++ /dev/null
@@ -1,4 +0,0 @@
-// Package audit is an Auditbeat module that reports security-relevant
-// information based on data captured from the operating system (OS) or services
-// running on the OS.
-package audit
diff --git a/auditbeat/module/audit/file/_meta/data.json b/auditbeat/module/audit/file/_meta/data.json
deleted file mode 100644
index 15b52e77d88..00000000000
--- a/auditbeat/module/audit/file/_meta/data.json
+++ /dev/null
@@ -1,34 +0,0 @@
-{
-  "@timestamp": "2017-10-06T17:35:33.773Z",
-  "@metadata": {
-    "beat": "noindex",
-    "type": "doc",
-    "version": "1.2.3"
-  },
-  "audit": {
-    "file": {
-      "hashed": true,
-      "inode": "15329399",
-      "uid": 501,
-      "group": "staff",
-      "ctime": "2017-10-06T17:35:33.000Z",
-      "gid": 20,
-      "path": "/private/var/folders/8x/rnyk6yxn6w97lddn3bs02gf00000gn/T/audit-file387158249/file.data",
-      "mode": "0600",
-      "action": "created",
-      "mtime": "2017-10-06T17:35:33.000Z",
-      "size": 11,
-      "owner": "akroh",
-      "sha1": "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed"
-    }
-  },
-  "metricset": {
-    "module": "audit",
-    "name": "file",
-    "rtt": 5928
-  },
-  "beat": {
-    "name": "host.example.com",
-    "hostname": "host.example.com"
-  }
-}
\ No newline at end of file
diff --git a/auditbeat/module/audit/file/_meta/fields.yml b/auditbeat/module/audit/file/_meta/fields.yml
deleted file mode 100644
index 53b12aba626..00000000000
--- a/auditbeat/module/audit/file/_meta/fields.yml
+++ /dev/null
@@ -1,124 +0,0 @@
-  - name: file
-    type: group
-    description: >
-      The file metricset generates events when a file changes on disk.
-    fields:
-    - name: path
-      type: text
-      description: The path to the file.
-      multi_fields:
-      - name: raw
-        type: keyword
-        description: >
-          The path to the file. This is an non-analyzed field that is useful
-          for aggregations.
-
-    - name: target_path
-      type: keyword
-      description: The target path for symlinks.
-
-    - name: action
-      type: keyword
-      example: attributes_modified
-      description: >
-        Action describes the change that triggered the event. The possible
-        values are: attributes_modified, created, deleted, updated, moved, and
-        config_change.
-
-    - name: type
-      type: keyword
-      description: The file type (file, dir, or symlink).
-
-    - name: inode
-      type: keyword
-      description: The inode representing the file in the filesystem.
-
-    - name: uid
-      type: keyword
-      description: The user ID (UID) of the file owner.
-
-    - name: owner
-      type: keyword
-      description: The file owner's username.
-
-    - name: gid
-      type: keyword
-      description: The primary group ID (GID) of the file.
-
-    - name: group
-      type: keyword
-      description: The primary group name of the file.
-
-    - name: sid
-      type: keyword
-      description: The security identifier (SID) of the file owner (Windows only).
-
-    - name: mode
-      type: keyword
-      example: 0640
-      description: The mode of the file in octal representation.
-
-    - name: size
-      type: long
-      description: The file size in bytes (field is only added when `type` is `file`).
-
-    - name: mtime
-      type: date
-      description: The last modified time of the file (time when content was modified).
-
-    - name: ctime
-      type: date
-      description: The last change time of the file (time when metadata was changed).
-
-    - name: hashed
-      type: boolean
-      description: >
-        Boolean indicating if the event includes any file hashes.
-
-    - name: md5
-      type: keyword
-      description: MD5 hash of the file.
-
-    - name: sha1
-      type: keyword
-      description: SHA1 hash of the file.
-
-    - name: sha224
-      type: keyword
-      description: SHA224 hash of the file.
-
-    - name: sha256
-      type: keyword
-      description: SHA256 hash of the file.
-
-    - name: sha384
-      type: keyword
-      description: SHA384 hash of the file.
-
-    - name: sha3_224
-      type: keyword
-      description: SHA3_224 hash of the file.
-
-    - name: sha3_256
-      type: keyword
-      description: SHA3_256 hash of the file.
-
-    - name: sha3_384
-      type: keyword
-      description: SHA3_384 hash of the file.
-
-    - name: sha3_512
-      type: keyword
-      description: SHA3_512 hash of the file.
-
-    - name: sha512
-      type: keyword
-      description: SHA512 hash of the file.
-
-    - name: sha512_224
-      type: keyword
-      description: SHA512/224 hash of the file.
-
-    - name: sha512_256
-      type: keyword
-      description: SHA512/256 hash of the file.
diff --git a/auditbeat/module/audit/kernel/_meta/fields.yml b/auditbeat/module/audit/kernel/_meta/fields.yml
deleted file mode 100644
index a74b982847d..00000000000
--- a/auditbeat/module/audit/kernel/_meta/fields.yml
+++ /dev/null
@@ -1,859 +0,0 @@
-  - name: kernel
-    type: group
-    description: >
-      The kernel metricset distributes audit events received from the Linux
-      Audit Framework that is a part of the Linux kernel.
-    fields:
-    - name: action
-      type: keyword
-      example: logged-in
-      description: A description of the action taken by the user.
-    - name: actor
-      type: group
-      description: The actor is the user that triggered the audit event.
-      fields:
-      - name: attrs
-        type: group
-        description: Attributes of the actor.
-        fields:
-        - name: auid
-          type: keyword
-          description: login user ID
-        - name: uid
-          type: keyword
-          description: user ID
-        - name: euid
-          type: keyword
-          description: effective user ID
-        - name: fsuid
-          type: keyword
-          description: file system user ID
-        - name: suid
-          type: keyword
-          description: sent user ID
-        - name: gid
-          type: keyword
-          description: group ID
-        - name: egid
-          type: keyword
-          description: effective group ID
-        - name: sgid
-          type: keyword
-          description: set group ID
-        - name: fsgid
-          type: keyword
-          description: file system group ID
-      - name: primary
-        type: keyword
-        description: >
-          The primary identity of the actor. This is the actor's original login
-          ID. It will not change even if the user changes to another account.
-      - name: secondary
-        type: keyword
-        description: The secondary identity of the actor. This is typically
-          the same as the primary, except for when the user has used `su`.
-      - name: selinux
-        type: group
-        description: The SELinux identity of the actor.
-        fields:
-        - name: user
-          type: keyword
-          description: account submitted for authentication
-        - name: role
-          type: keyword
-          description: user's SELinux role
-        - name: domain
-          type: keyword
-          description: The actor's SELinux domain or type.
-        - name: level
-          type: keyword
-          example: s0
-          description: The actor's SELinux level.
-        - name: category
-          type: keyword
-          description: The actor's SELinux category or compartments.
-    - name: category
-      type: keyword
-      example: audit-rule
-      description: >
-        The event's category is a value derived from the `record_type`.
-    - name: sequence
-      type: long
-      description: >
-        The sequence number of the event as assigned by the kernel. Sequence
-        numbers are stored as a uint32 in the kernel and can rollover.
-    - name: session
-      type: keyword
-      description: >
-        The session ID assigned to a login. All events related to a login
-        session will have the same value.
-    - name: paths
-      type: group
-      description: List of paths associated with the event.
-      fields:
-      - name: inode
-        type: keyword
-        description: inode number
-      - name: dev
-        type: keyword
-        description: device name as found in /dev
-      - name: obj_user
-        type: keyword
-        description: ""
-      - name: obj_role
-        type: keyword
-        description: ""
-      - name: obj_domain
-        type: keyword
-        description: ""
-      - name: obj_level
-        type: keyword
-        description: ""
-      - name: objtype
-        type: keyword
-        description: ""
-      - name: ouid
-        type: keyword
-        description: file owner user ID
-      - name: rdev
-        type: keyword
-        description: the device identifier (special files only)
-      - name: nametype
-        type: keyword
-        description: kind of file operation being referenced
-      - name: ogid
-        type: keyword
-        description: file owner group ID
-      - name: item
-        type: keyword
-        description: which item is being recorded
-      - name: mode
-        type: keyword
-        description: mode flags on a file
-      - name: name
-        type: keyword
-        description: file name in avcs
-    - name: record_type
-      type: keyword
-      description: The audit record's type.
-    - name: socket
-      type: group
-      description: Socket data from sockaddr messages.
-      fields:
-      - name: port
-        type: keyword
-        description: The port number.
-      - name: saddr
-        type: keyword
-        description: The raw socket address structure.
-      - name: addr
-        type: keyword
-        description: The remote address.
-      - name: family
-        type: keyword
-        example: unix
-        description: The socket family (unix, ipv4, ipv6, netlink).
-      - name: path
-        type: keyword
-        description: This is the path associated with a unix socket.
-    - name: thing
-      type: group
-      description: >
-        This is the thing or object being acted upon in the event.
-      fields:
-      - name: what
-        type: keyword
-        description: >
-          A description of the what the "thing" is (e.g. file, socket,
-          user-session).
-      - name: primary
-        type: keyword
-        description: ""
-      - name: secondary
-        type: keyword
-        description: ""
-      - name: selinux
-        type: group
-        description: The SELinux identity of the object.
-        fields:
-        - name: user
-          type: keyword
-          description: The owner of the object.
-        - name: role
-          type: keyword
-          description: The object's SELinux role.
-        - name: domain
-          type: keyword
-          description: The object's SELinux domain or type.
-        - name: level
-          type: keyword
-          example: s0
-          description: The object's SELinux level.
-    - name: how
-      type: keyword
-      description: >
-        This describes how the action was performed. Usually this is the exe
-        or command that was being executed that triggered the event.
-    - name: key
-      type: keyword
-      description: The key assigned to the audit rule that triggered the event.
-    - name: result
-      type: keyword
-      example: success or fail
-      description: The result of the audited operation (success/fail).
-    - name: data
-      type: group
-      description: The data from the audit messages.
-      fields:
-      - name: action
-        type: keyword
-        description: netfilter packet disposition
-      - name: minor
-        type: keyword
-        description: device minor number
-      - name: acct
-        type: keyword
-        description: a user's account name
-      - name: addr
-        type: keyword
-        description: the remote address that the user is connecting from
-      - name: cipher
-        type: keyword
-        description: name of crypto cipher selected
-      - name: id
-        type: keyword
-        description: during account changes
-      - name: entries
-        type: keyword
-        description: number of entries in the netfilter table
-      - name: kind
-        type: keyword
-        description: server or client in crypto operation
-      - name: ksize
-        type: keyword
-        description: key size for crypto operation
-      - name: spid
-        type: keyword
-        description: sent process ID
-      - name: arch
-        type: keyword
-        description: the elf architecture flags
-      - name: argc
-        type: keyword
-        description: the number of arguments to an execve syscall
-      - name: major
-        type: keyword
-        description: device major number
-      - name: unit
-        type: keyword
-        description: systemd unit
-      - name: table
-        type: keyword
-        description: netfilter table name
-      - name: terminal
-        type: keyword
-        description: terminal name the user is running programs on
-      - name: comm
-        type: keyword
-        description: command line program name
-      - name: exe
-        type: keyword
-        description: executable name
-      - name: grantors
-        type: keyword
-        description: pam modules approving the action
-      - name: pid
-        type: keyword
-        description: process ID
-      - name: direction
-        type: keyword
-        description: direction of crypto operation
-      - name: op
-        type: keyword
-        description: the operation being performed that is audited
-      - name: tty
-        type: keyword
-        description: tty udevice the user is running programs on
-      - name: proctitle
-        type: keyword
-        description: process title and command line parameters
-      - name: syscall
-        type: keyword
-        description: syscall number in effect when the event occurred
-      - name: data
-        type: keyword
-        description: TTY text
-      - name: family
-        type: keyword
-        description: netfilter protocol
-      - name: mac
-        type: keyword
-        description: crypto MAC algorithm selected
-      - name: pfs
-        type: keyword
-        description: perfect forward secrecy method
-      - name: items
-        type: keyword
-        description: the number of path records in the event
-      - name: a0
-        type: keyword
-        description: ""
-      - name: a1
-        type: keyword
-        description: ""
-      - name: a2
-        type: keyword
-        description: ""
-      - name: a3
-        type: keyword
-        description: ""
-      - name: cwd
-        type: keyword
-        description: the current working directory
-      - name: hostname
-        type: keyword
-        description: the hostname that the user is connecting from
-      - name: lport
-        type: keyword
-        description: local network port
-      - name: ppid
-        type: keyword
-        description: parent process ID
-      - name: rport
-        type: keyword
-        description: remote port number
-      - name: cmdline
-        type: keyword
-        description: The full command line from the execve message.
-      - name: exit
-        type: keyword
-        description: syscall exit code
-      - name: fp
-        type: keyword
-        description: crypto key finger print
-      - name: laddr
-        type: keyword
-        description: local network address
-      - name: sport
-        type: keyword
-        description: local port number
-      - name: capability
-        type: keyword
-        description: posix capabilities
-      - name: nargs
-        type: keyword
-        description: the number of arguments to a socket call
-      - name: new-enabled
-        type: keyword
-        description: new TTY audit enabled setting
-      - name: audit_backlog_limit
-        type: keyword
-        description: audit system's backlog queue size
-      - name: dir
-        type: keyword
-        description: directory name
-      - name: cap_pe
-        type: keyword
-        description: process effective capability map
-      - name: model
-        type: keyword
-        description: security model being used for virt
-      - name: new_pp
-        type: keyword
-        description: new process permitted capability map
-      - name: old-enabled
-        type: keyword
-        description: present TTY audit enabled setting
-      - name: oauid
-        type: keyword
-        description: object's login user ID
-      - name: old
-        type: keyword
-        description: old value
-      - name: banners
-        type: keyword
-        description: banners used on printed page
-      - name: feature
-        type: keyword
-        description: kernel feature being changed
-      - name: vm-ctx
-        type: keyword
-        description: the vm's context string
-      - name: opid
-        type: keyword
-        description: object's process ID
-      - name: seperms
-        type: keyword
-        description: SELinux permissions being used
-      - name: seresult
-        type: keyword
-        description: SELinux AVC decision granted/denied
-      - name: new-rng
-        type: keyword
-        description: device name of rng being added from a vm
-      - name: old-net
-        type: keyword
-        description: present MAC address assigned to vm
-      - name: sigev_signo
-        type: keyword
-        description: signal number
-      - name: ino
-        type: keyword
-        description: inode number
-      - name: old_enforcing
-        type: keyword
-        description: old MAC enforcement status
-      - name: old-vcpu
-        type: keyword
-        description: present number of CPU cores
-      - name: range
-        type: keyword
-        description: user's SE Linux range
-      - name: res
-        type: keyword
-        description: result of the audited operation(success/fail)
-      - name: added
-        type: keyword
-        description: number of new files detected
-      - name: fam
-        type: keyword
-        description: socket address family
-      - name: nlnk-pid
-        type: keyword
-        description: pid of netlink packet sender
-      - name: subj
-        type: keyword
-        description: lspp subject's context string
-      - name: a[0-3]
-        type: keyword
-        description: the arguments to a syscall
-      - name: cgroup
-        type: keyword
-        description: path to cgroup in sysfs
-      - name: kernel
-        type: keyword
-        description: kernel's version number
-      - name: ocomm
-        type: keyword
-        description: object's command line name
-      - name: new-net
-        type: keyword
-        description: MAC address being assigned to vm
-      - name: permissive
-        type: keyword
-        description: SELinux is in permissive mode
-      - name: class
-        type: keyword
-        description: resource class assigned to vm
-      - name: compat
-        type: keyword
-        description: is_compat_task result
-      - name: fi
-        type: keyword
-        description: file assigned inherited capability map
-      - name: changed
-        type: keyword
-        description: number of changed files
-      - name: msg
-        type: keyword
-        description: the payload of the audit record
-      - name: dport
-        type: keyword
-        description: remote port number
-      - name: new-seuser
-        type: keyword
-        description: new SELinux user
-      - name: invalid_context
-        type: keyword
-        description: SELinux context
-      - name: dmac
-        type: keyword
-        description: remote MAC address
-      - name: ipx-net
-        type: keyword
-        description: IPX network number
-      - name: iuid
-        type: keyword
-        description: ipc object's user ID
-      - name: macproto
-        type: keyword
-        description: ethernet packet type ID field
-      - name: obj
-        type: keyword
-        description: lspp object context string
-      - name: a[[:digit:]+]\[.*\]
-        type: keyword
-        description: the arguments to the execve syscall
-      - name: ipid
-        type: keyword
-        description: IP datagram fragment identifier
-      - name: new-fs
-        type: keyword
-        description: file system being added to vm
-      - name: vm-pid
-        type: keyword
-        description: vm's process ID
-      - name: cap_pi
-        type: keyword
-        description: process inherited capability map
-      - name: old-auid
-        type: keyword
-        description: previous auid value
-      - name: oses
-        type: keyword
-        description: object's session ID
-      - name: fd
-        type: keyword
-        description: file descriptor number
-      - name: igid
-        type: keyword
-        description: ipc object's group ID
-      - name: new-disk
-        type: keyword
-        description: disk being added to vm
-      - name: parent
-        type: keyword
-        description: the inode number of the parent file
-      - name: len
-        type: keyword
-        description: length
-      - name: oflag
-        type: keyword
-        description: open syscall flags
-      - name: uuid
-        type: keyword
-        description: a UUID
-      - name: code
-        type: keyword
-        description: seccomp action code
-      - name: nlnk-grp
-        type: keyword
-        description: netlink group number
-      - name: cap_fp
-        type: keyword
-        description: file permitted capability map
-      - name: new-mem
-        type: keyword
-        description: new amount of memory in KB
-      - name: seperm
-        type: keyword
-        description: SELinux permission being decided on
-      - name: enforcing
-        type: keyword
-        description: new MAC enforcement status
-      - name: new-chardev
-        type: keyword
-        description: new character device being assigned to vm
-      - name: old-rng
-        type: keyword
-        description: device name of rng being removed from a vm
-      - name: outif
-        type: keyword
-        description: out interface number
-      - name: cmd
-        type: keyword
-        description: command being executed
-      - name: hook
-        type: keyword
-        description: netfilter hook that packet came from
-      - name: new-level
-        type: keyword
-        description: new run level
-      - name: sauid
-        type: keyword
-        description: sent login user ID
-      - name: sig
-        type: keyword
-        description: signal number
-      - name: audit_backlog_wait_time
-        type: keyword
-        description: audit system's backlog wait time
-      - name: printer
-        type: keyword
-        description: printer name
-      - name: old-mem
-        type: keyword
-        description: present amount of memory in KB
-      - name: perm
-        type: keyword
-        description: the file permission being used
-      - name: old_pi
-        type: keyword
-        description: old process inherited capability map
-      - name: state
-        type: keyword
-        description: audit daemon configuration resulting state
-      - name: format
-        type: keyword
-        description: audit log's format
-      - name: new_gid
-        type: keyword
-        description: new group ID being assigned
-      - name: tcontext
-        type: keyword
-        description: the target's or object's context string
-      - name: maj
-        type: keyword
-        description: device major number
-      - name: watch
-        type: keyword
-        description: file name in a watch record
-      - name: device
-        type: keyword
-        description: device name
-      - name: grp
-        type: keyword
-        description: group name
-      - name: bool
-        type: keyword
-        description: name of SELinux boolean
-      - name: icmp_type
-        type: keyword
-        description: type of icmp message
-      - name: new_lock
-        type: keyword
-        description: new value of feature lock
-      - name: old_prom
-        type: keyword
-        description: network promiscuity flag
-      - name: acl
-        type: keyword
-        description: access mode of resource assigned to vm
-      - name: ip
-        type: keyword
-        description: network address of a printer
-      - name: new_pi
-        type: keyword
-        description: new process inherited capability map
-      - name: default-context
-        type: keyword
-        description: default MAC context
-      - name: inode_gid
-        type: keyword
-        description: group ID of the inode's owner
-      - name: new-log_passwd
-        type: keyword
-        description: new value for TTY password logging
-      - name: new_pe
-        type: keyword
-        description: new process effective capability map
-      - name: selected-context
-        type: keyword
-        description: new MAC context assigned to session
-      - name: cap_fver
-        type: keyword
-        description: file system capabilities version number
-      - name: file
-        type: keyword
-        description: file name
-      - name: net
-        type: keyword
-        description: network MAC address
-      - name: virt
-        type: keyword
-        description: kind of virtualization being referenced
-      - name: cap_pp
-        type: keyword
-        description: process permitted capability map
-      - name: old-range
-        type: keyword
-        description: present SELinux range
-      - name: resrc
-        type: keyword
-        description: resource being assigned
-      - name: new-range
-        type: keyword
-        description: new SELinux range
-      - name: obj_gid
-        type: keyword
-        description: group ID of object
-      - name: proto
-        type: keyword
-        description: network protocol
-      - name: old-disk
-        type: keyword
-        description: disk being removed from vm
-      - name: audit_failure
-        type: keyword
-        description: audit system's failure mode
-      - name: inif
-        type: keyword
-        description: in interface number
-      - name: vm
-        type: keyword
-        description: virtual machine name
-      - name: flags
-        type: keyword
-        description: mmap syscall flags
-      - name: nlnk-fam
-        type: keyword
-        description: netlink protocol number
-      - name: old-fs
-        type: keyword
-        description: file system being removed from vm
-      - name: old-ses
-        type: keyword
-        description: previous ses value
-      - name: seqno
-        type: keyword
-        description: sequence number
-      - name: fver
-        type: keyword
-        description: file system capabilities version number
-      - name: qbytes
-        type: keyword
-        description: ipc objects quantity of bytes
-      - name: seuser
-        type: keyword
-        description: user's SE Linux user acct
-      - name: cap_fe
-        type: keyword
-        description: file assigned effective capability map
-      - name: new-vcpu
-        type: keyword
-        description: new number of CPU cores
-      - name: old-level
-        type: keyword
-        description: old run level
-      - name: old_pp
-        type: keyword
-        description: old process permitted capability map
-      - name: daddr
-        type: keyword
-        description: remote IP address
-      - name: old-role
-        type: keyword
-        description: present SELinux role
-      - name: ioctlcmd
-        type: keyword
-        description: The request argument to the ioctl syscall
-      - name: smac
-        type: keyword
-        description: local MAC address
-      - name: apparmor
-        type: keyword
-        description: apparmor event information
-      - name: fe
-        type: keyword
-        description: file assigned effective capability map
-      - name: perm_mask
-        type: keyword
-        description: file permission mask that triggered a watch event
-      - name: ses
-        type: keyword
-        description: login session ID
-      - name: cap_fi
-        type: keyword
-        description: file inherited capability map
-      - name: obj_uid
-        type: keyword
-        description: user ID of object
-      - name: reason
-        type: keyword
-        description: text string denoting a reason for the action
-      - name: list
-        type: keyword
-        description: the audit system's filter list number
-      - name: old_lock
-        type: keyword
-        description: present value of feature lock
-      - name: bus
-        type: keyword
-        description: name of subsystem bus a vm resource belongs to
-      - name: old_pe
-        type: keyword
-        description: old process effective capability map
-      - name: new-role
-        type: keyword
-        description: new SELinux role
-      - name: prom
-        type: keyword
-        description: network promiscuity flag
-      - name: uri
-        type: keyword
-        description: URI pointing to a printer
-      - name: audit_enabled
-        type: keyword
-        description: audit systems's enable/disable status
-      - name: old-log_passwd
-        type: keyword
-        description: present value for TTY password logging
-      - name: old-seuser
-        type: keyword
-        description: present SELinux user
-      - name: per
-        type: keyword
-        description: linux personality
-      - name: scontext
-        type: keyword
-        description: the subject's context string
-      - name: tclass
-        type: keyword
-        description: target's object classification
-      - name: ver
-        type: keyword
-        description: audit daemon's version number
-      - name: new
-        type: keyword
-        description: value being set in feature
-      - name: val
-        type: keyword
-        description: generic value associated with the operation
-      - name: img-ctx
-        type: keyword
-        description: the vm's disk image context string
-      - name: old-chardev
-        type: keyword
-        description: present character device assigned to vm
-      - name: old_val
-        type: keyword
-        description: current value of SELinux boolean
-      - name: success
-        type: keyword
-        description: whether the syscall was successful or not
-      - name: inode_uid
-        type: keyword
-        description: user ID of the inode's owner
-      - name: removed
-        type: keyword
-        description: number of deleted files
-    - name: messages
-      type: text
-      description: >
-        An ordered list of the raw messages received from the kernel that
-        were used to construct this document. This field is present if an error
-        occurred processing the data or if `kernel.include_raw_message` is set
-        in the config.
-    - name: warnings
-      type: keyword
-      description: >
-        The warnings generated by the Beat during the construction of the event.
-        These are disabled by default and are used for development and debug
-        purposes only.
-    - name: geoip
-      type: group
-      description: >
-        Contains GeoIP information gathered based on the `os_events.audit.addr`
-        field. Only present if the GeoIP Elasticsearch plugin is available and
-        used.
-      fields:
-        - name: continent_name
-          type: keyword
-          description: >
-            The name of the continent.
-        - name: city_name
-          type: keyword
-          description: >
-            The name of the city.
-        - name: region_name
-          type: keyword
-          description: >
-            The name of the region.
-        - name: country_iso_code
-          type: keyword
-          description: >
-            Country ISO code.
-        - name: location
-          type: geo_point
-          description: >
-            The longitude and latitude.
diff --git a/auditbeat/module/audit/kernel/audit_unsupported.go b/auditbeat/module/audit/kernel/audit_unsupported.go
deleted file mode 100644
index f9a22e9acb5..00000000000
--- a/auditbeat/module/audit/kernel/audit_unsupported.go
+++ /dev/null
@@ -1,21 +0,0 @@
-// +build !linux
-
-package kernel
-
-import (
-	"errors"
-
-	"github.com/elastic/beats/metricbeat/mb"
-	"github.com/elastic/beats/metricbeat/mb/parse"
-)
-
-func init() {
-	if err := mb.Registry.AddMetricSet("audit", "kernel", New, parse.EmptyHostParser); err != nil {
-		panic(err)
-	}
-}
-
-// New constructs a new MetricSet.
-func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
-	return nil, errors.New("the audit.kernel metricset is only supported on linux")
-}
diff --git a/auditbeat/module/audit/kernel/doc.go b/auditbeat/module/audit/kernel/doc.go
deleted file mode 100644
index cb42bed6834..00000000000
--- a/auditbeat/module/audit/kernel/doc.go
+++ /dev/null
@@ -1,3 +0,0 @@
-// Package kernel is a metricset that subscribes to the Linux Audit Framework
-// to receive audit events from the the kernel.
-package kernel
diff --git a/auditbeat/module/audit/module.yml b/auditbeat/module/audit/module.yml
deleted file mode 100644
index 1dea5f51f39..00000000000
--- a/auditbeat/module/audit/module.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-dashboards:
-- id: AV0tXkjYg1PYniApZbKP
-  file: auditbeat-file-integrity.json
-
-- id: c0ac2c00-c1c0-11e7-8995-936807a28b16
-  file: auditbeat-kernel-overview.json
-
-- id: 7de391b0-c1ca-11e7-8995-936807a28b16
-  file: auditbeat-kernel-executions.json
-
-- id: 693a5f40-c243-11e7-8692-232bd1143e8a
-  file: auditbeat-kernel-sockets.json
diff --git a/auditbeat/module/auditd/_meta/config.yml.tpl b/auditbeat/module/auditd/_meta/config.yml.tpl
new file mode 100644
index 00000000000..af9ff32f653
--- /dev/null
+++ b/auditbeat/module/auditd/_meta/config.yml.tpl
@@ -0,0 +1,40 @@
+{{ if eq .goos "linux" -}}
+{{ if .reference -}}
+# The auditd module collects events from the audit framework in the Linux
+# kernel. You need to specify audit rules for the events that you want to audit.
+{{ end -}}
+- module: auditd
+  {{ if .reference -}}
+  resolve_ids: true
+  failure_mode: silent
+  backlog_limit: 8196
+  rate_limit: 0
+  include_raw_message: false
+  include_warnings: false
+  {{ end -}}
+  audit_rules: |
+    ## Define audit rules here.
+    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+    ## examples or add your own rules.
+
+    ## If you are on a 64 bit platform, everything should be running
+    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+    ## because this might be a sign of someone exploiting a hole in the 32
+    ## bit API.
+    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+    ## Executions.
+    #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+    ## External access.
+    #-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
+
+    ## Identity changes.
+    #-w /etc/group -p wa -k identity
+    #-w /etc/passwd -p wa -k identity
+    #-w /etc/gshadow -p wa -k identity
+
+    ## Unauthorized access attempts.
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+{{ end -}}
diff --git a/auditbeat/module/audit/kernel/_meta/data.json b/auditbeat/module/auditd/_meta/data.json
similarity index 86%
rename from auditbeat/module/audit/kernel/_meta/data.json
rename to auditbeat/module/auditd/_meta/data.json
index 1fcfb1b003d..6d417fe57e8 100644
--- a/auditbeat/module/audit/kernel/_meta/data.json
+++ b/auditbeat/module/auditd/_meta/data.json
@@ -1,5 +1,5 @@
 {
-    "@timestamp": "2017-04-22T21:25:01.818Z",
+    "@timestamp": "2017-10-12T08:05:34.853Z",
     "audit": {
         "kernel": {
             "action": "logged-in",
@@ -36,10 +36,7 @@
         "hostname": "host.example.com",
         "name": "host.example.com"
     },
-    "metricset": {
-        "module": "audit",
-        "name": "kernel",
-        "rtt": 115
-    },
-    "type": "metricsets"
+    "dataset": {
+        "module": "auditd"
+    }
 }
\ No newline at end of file
diff --git a/auditbeat/module/audit/kernel/_meta/docs.asciidoc b/auditbeat/module/auditd/_meta/docs.asciidoc
similarity index 77%
rename from auditbeat/module/audit/kernel/_meta/docs.asciidoc
rename to auditbeat/module/auditd/_meta/docs.asciidoc
index 541144c16dd..4d19aad5601 100644
--- a/auditbeat/module/audit/kernel/_meta/docs.asciidoc
+++ b/auditbeat/module/auditd/_meta/docs.asciidoc
@@ -1,33 +1,33 @@
-=== Audit kernel metricset
+=== Auditd Module
 
-The `kernel` metricset receives audit events from the Linux Audit Framework that
+The `auditd` module receives audit events from the Linux Audit Framework that
 is a part of the Linux kernel.
 
-This metricset is available only for Linux.
+This module is available only for Linux.
 
 [float]
 === How it works
 
-This metricset establishes a subscription to the kernel to receive the events
-as they occur. So unlike most other metricsets, the `period` configuration
+This module establishes a subscription to the kernel to receive the events
+as they occur. So unlike most other modules, the `period` configuration
 option is unused because it is not implemented using polling.
 
 The Linux Audit Framework can send multiple messages for a single auditable
 event. For example, a `rename` syscall causes the kernel to send eight separate
 messages. Each message describes a different aspect of the activity that is
 occurring (the syscall itself, file paths, current working directory, process
-title). This metricset will combine all of the data from each of the messages
+title). This module will combine all of the data from each of the messages
 into a single event.
 
 Messages for one event can be interleaved with messages from another event. This
-metricset will buffer the messages in order to combine related messages into a
+module will buffer the messages in order to combine related messages into a
 single event even if they arrive interleaved or out of order.
 
 [float]
 === Useful commands
 
-When running {beatname_uc} with the `kernel` metricset enabled, you might find
-that other monitoring systems interfere with {beatname_uc}.
+When running {beatname_uc} with the `auditd` module enabled, you might find
+that other monitoring tools interfere with {beatname_uc}.
 
 For example, you might encounter errors if another process, such as `auditd`, is
 registered to receive data from the Linux Audit Framework. You can use these
@@ -66,22 +66,21 @@ systemctl mask systemd-journald-audit.socket
 [float]
 === Configuration options
 
-This metricset has some configuration options for tuning its behavior. The
+This module has some configuration options for tuning its behavior. The
 following example shows all configuration options with their default values.
 
 [source,yaml]
 ----
-- module: audit
-  metricsets: ["kernel"]
-  kernel.resolve_ids: true
-  kernel.failure_mode: silent
-  kernel.backlog_limit: 8196
-  kernel.rate_limit: 0
-  kernel.include_raw_message: false
-  kernel.include_warnings: false
+- module: auditd
+  resolve_ids: true
+  failure_mode: silent
+  backlog_limit: 8196
+  rate_limit: 0
+  include_raw_message: false
+  include_warnings: false
 ----
 
-*`kernel.socket_type`*:: This optional setting controls the type of
+*`socket_type`*:: This optional setting controls the type of
 socket that {beatname_uc} uses to receive events from the kernel. The two
 options are `unicast` and `multicast`.
 +
@@ -99,10 +98,10 @@ than 3.16 {beatname_uc} will automatically revert to `unicast`.
 By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
 newer and no rules have been defined. Otherwise `unicast` will be used.
 
-*`kernel.resolve_ids`*:: This boolean setting enables the resolution of UIDs and
+*`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
 GIDs to their associated names. The default value is true.
 
-*`kernel.failure_mode`*:: This determines the kernel's behavior on critical
+*`failure_mode`*:: This determines the kernel's behavior on critical
 failures such as errors sending events to {beatname_uc}, the backlog limit was
 exceeded, the kernel ran out of memory, or the rate limit was exceeded. The
 options are `silent`, `log`, or `panic`. `silent` basically makes the kernel
@@ -110,28 +109,28 @@ ignore the errors, `log` makes the kernel write the audit messages using
 `printk` so they show up in system's syslog, and `panic` causes the kernel to
 panic to prevent use of the machine. {beatname_uc}'s default is `silent`.
 
-*`kernel.backlog_limit`*:: This controls the maximum number of audit messages
+*`backlog_limit`*:: This controls the maximum number of audit messages
 that will be buffered by the kernel.
 
-*`kernel.rate_limit`*:: This sets a rate limit on the number of messages/sec
+*`rate_limit`*:: This sets a rate limit on the number of messages/sec
 delivered by the kernel. The default is 0, which disables rate limiting.
 Changing this value to anything other than zero can cause messages to be lost.
 The preferred approach to reduce the messaging rate is be more selective in the
 audit ruleset.
 
-*`kernel.include_raw_message`*:: This boolean setting causes {beatname_uc} to
+*`include_raw_message`*:: This boolean setting causes {beatname_uc} to
 include each of the raw messages that contributed to the event in the document
 as a field called `messages`. The default value is false. This setting is
 primarily used for development and debugging purposes.
 
-*`kernel.include_warnings`*:: This boolean setting causes {beatname_uc} to
+*`include_warnings`*:: This boolean setting causes {beatname_uc} to
 include as warnings any issues that were encountered while parsing the raw
 messages. The default value is false. When this setting is enabled the raw
 messages will be included in the event regardless of the
-`kernel.include_raw_message` config setting. This setting is primarily used for
+`include_raw_message` config setting. This setting is primarily used for
 development and debugging purposes.
 
-*`kernel.audit_rules`*:: A string containing the audit rules that should be
+*`audit_rules`*:: A string containing the audit rules that should be
 installed to the kernel. There should be one rule per line. Comments can be
 embedded in the string using `#` as a prefix. The format for rules is the same
 used by the Linux `auditctl` utility. {beatname_uc} supports adding file watches
@@ -162,9 +161,8 @@ Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
 ["source","sh",subs="attributes"]
 ----
 {beatname_lc}.modules:
-- module: audit
-  metricsets: ["kernel"]
-  kernel.audit_rules: |
+- module: auditd
+  audit_rules: |
     # Things that affect identity.
     -w /etc/group -p wa -k identity
     -w /etc/passwd -p wa -k identity
diff --git a/auditbeat/module/auditd/_meta/fields.yml b/auditbeat/module/auditd/_meta/fields.yml
new file mode 100644
index 00000000000..7fa66fb59f3
--- /dev/null
+++ b/auditbeat/module/auditd/_meta/fields.yml
@@ -0,0 +1,862 @@
+- key: auditd
+  title: Auditd
+  fields:
+  - name: audit
+    type: group
+    fields:
+    - name: kernel
+      type: group
+      fields:
+      - name: action
+        type: keyword
+        example: logged-in
+        description: A description of the action taken by the user.
+      - name: actor
+        type: group
+        description: The actor is the user that triggered the audit event.
+        fields:
+        - name: attrs
+          type: group
+          description: Attributes of the actor.
+          fields:
+          - name: auid
+            type: keyword
+            description: login user ID
+          - name: uid
+            type: keyword
+            description: user ID
+          - name: euid
+            type: keyword
+            description: effective user ID
+          - name: fsuid
+            type: keyword
+            description: file system user ID
+          - name: suid
+            type: keyword
+            description: sent user ID
+          - name: gid
+            type: keyword
+            description: group ID
+          - name: egid
+            type: keyword
+            description: effective group ID
+          - name: sgid
+            type: keyword
+            description: set group ID
+          - name: fsgid
+            type: keyword
+            description: file system group ID
+        - name: primary
+          type: keyword
+          description: >
+            The primary identity of the actor. This is the actor's original login
+            ID. It will not change even if the user changes to another account.
+        - name: secondary
+          type: keyword
+          description: The secondary identity of the actor. This is typically
+            the same as the primary, except for when the user has used `su`.
+        - name: selinux
+          type: group
+          description: The SELinux identity of the actor.
+          fields:
+          - name: user
+            type: keyword
+            description: account submitted for authentication
+          - name: role
+            type: keyword
+            description: user's SELinux role
+          - name: domain
+            type: keyword
+            description: The actor's SELinux domain or type.
+          - name: level
+            type: keyword
+            example: s0
+            description: The actor's SELinux level.
+          - name: category
+            type: keyword
+            description: The actor's SELinux category or compartments.
+      - name: category
+        type: keyword
+        example: audit-rule
+        description: >
+          The event's category is a value derived from the `record_type`.
+      - name: sequence
+        type: long
+        description: >
+          The sequence number of the event as assigned by the kernel. Sequence
+          numbers are stored as a uint32 in the kernel and can rollover.
+      - name: session
+        type: keyword
+        description: >
+          The session ID assigned to a login. All events related to a login
+          session will have the same value.
+      - name: paths
+        type: group
+        description: List of paths associated with the event.
+        fields:
+        - name: inode
+          type: keyword
+          description: inode number
+        - name: dev
+          type: keyword
+          description: device name as found in /dev
+        - name: obj_user
+          type: keyword
+          description: ""
+        - name: obj_role
+          type: keyword
+          description: ""
+        - name: obj_domain
+          type: keyword
+          description: ""
+        - name: obj_level
+          type: keyword
+          description: ""
+        - name: objtype
+          type: keyword
+          description: ""
+        - name: ouid
+          type: keyword
+          description: file owner user ID
+        - name: rdev
+          type: keyword
+          description: the device identifier (special files only)
+        - name: nametype
+          type: keyword
+          description: kind of file operation being referenced
+        - name: ogid
+          type: keyword
+          description: file owner group ID
+        - name: item
+          type: keyword
+          description: which item is being recorded
+        - name: mode
+          type: keyword
+          description: mode flags on a file
+        - name: name
+          type: keyword
+          description: file name in avcs
+      - name: record_type
+        type: keyword
+        description: The audit record's type.
+      - name: socket
+        type: group
+        description: Socket data from sockaddr messages.
+        fields:
+        - name: port
+          type: keyword
+          description: The port number.
+        - name: saddr
+          type: keyword
+          description: The raw socket address structure.
+        - name: addr
+          type: keyword
+          description: The remote address.
+        - name: family
+          type: keyword
+          example: unix
+          description: The socket family (unix, ipv4, ipv6, netlink).
+        - name: path
+          type: keyword
+          description: This is the path associated with a unix socket.
+      - name: thing
+        type: group
+        description: >
+          This is the thing or object being acted upon in the event.
+        fields:
+        - name: what
+          type: keyword
+          description: >
+            A description of the what the "thing" is (e.g. file, socket,
+            user-session).
+        - name: primary
+          type: keyword
+          description: ""
+        - name: secondary
+          type: keyword
+          description: ""
+        - name: selinux
+          type: group
+          description: The SELinux identity of the object.
+          fields:
+          - name: user
+            type: keyword
+            description: The owner of the object.
+          - name: role
+            type: keyword
+            description: The object's SELinux role.
+          - name: domain
+            type: keyword
+            description: The object's SELinux domain or type.
+          - name: level
+            type: keyword
+            example: s0
+            description: The object's SELinux level.
+      - name: how
+        type: keyword
+        description: >
+          This describes how the action was performed. Usually this is the exe
+          or command that was being executed that triggered the event.
+      - name: key
+        type: keyword
+        description: The key assigned to the audit rule that triggered the event.
+      - name: result
+        type: keyword
+        example: success or fail
+        description: The result of the audited operation (success/fail).
+      - name: data
+        type: group
+        description: The data from the audit messages.
+        fields:
+        - name: action
+          type: keyword
+          description: netfilter packet disposition
+        - name: minor
+          type: keyword
+          description: device minor number
+        - name: acct
+          type: keyword
+          description: a user's account name
+        - name: addr
+          type: keyword
+          description: the remote address that the user is connecting from
+        - name: cipher
+          type: keyword
+          description: name of crypto cipher selected
+        - name: id
+          type: keyword
+          description: during account changes
+        - name: entries
+          type: keyword
+          description: number of entries in the netfilter table
+        - name: kind
+          type: keyword
+          description: server or client in crypto operation
+        - name: ksize
+          type: keyword
+          description: key size for crypto operation
+        - name: spid
+          type: keyword
+          description: sent process ID
+        - name: arch
+          type: keyword
+          description: the elf architecture flags
+        - name: argc
+          type: keyword
+          description: the number of arguments to an execve syscall
+        - name: major
+          type: keyword
+          description: device major number
+        - name: unit
+          type: keyword
+          description: systemd unit
+        - name: table
+          type: keyword
+          description: netfilter table name
+        - name: terminal
+          type: keyword
+          description: terminal name the user is running programs on
+        - name: comm
+          type: keyword
+          description: command line program name
+        - name: exe
+          type: keyword
+          description: executable name
+        - name: grantors
+          type: keyword
+          description: pam modules approving the action
+        - name: pid
+          type: keyword
+          description: process ID
+        - name: direction
+          type: keyword
+          description: direction of crypto operation
+        - name: op
+          type: keyword
+          description: the operation being performed that is audited
+        - name: tty
+          type: keyword
+          description: tty udevice the user is running programs on
+        - name: proctitle
+          type: keyword
+          description: process title and command line parameters
+        - name: syscall
+          type: keyword
+          description: syscall number in effect when the event occurred
+        - name: data
+          type: keyword
+          description: TTY text
+        - name: family
+          type: keyword
+          description: netfilter protocol
+        - name: mac
+          type: keyword
+          description: crypto MAC algorithm selected
+        - name: pfs
+          type: keyword
+          description: perfect forward secrecy method
+        - name: items
+          type: keyword
+          description: the number of path records in the event
+        - name: a0
+          type: keyword
+          description: ""
+        - name: a1
+          type: keyword
+          description: ""
+        - name: a2
+          type: keyword
+          description: ""
+        - name: a3
+          type: keyword
+          description: ""
+        - name: cwd
+          type: keyword
+          description: the current working directory
+        - name: hostname
+          type: keyword
+          description: the hostname that the user is connecting from
+        - name: lport
+          type: keyword
+          description: local network port
+        - name: ppid
+          type: keyword
+          description: parent process ID
+        - name: rport
+          type: keyword
+          description: remote port number
+        - name: cmdline
+          type: keyword
+          description: The full command line from the execve message.
+        - name: exit
+          type: keyword
+          description: syscall exit code
+        - name: fp
+          type: keyword
+          description: crypto key finger print
+        - name: laddr
+          type: keyword
+          description: local network address
+        - name: sport
+          type: keyword
+          description: local port number
+        - name: capability
+          type: keyword
+          description: posix capabilities
+        - name: nargs
+          type: keyword
+          description: the number of arguments to a socket call
+        - name: new-enabled
+          type: keyword
+          description: new TTY audit enabled setting
+        - name: audit_backlog_limit
+          type: keyword
+          description: audit system's backlog queue size
+        - name: dir
+          type: keyword
+          description: directory name
+        - name: cap_pe
+          type: keyword
+          description: process effective capability map
+        - name: model
+          type: keyword
+          description: security model being used for virt
+        - name: new_pp
+          type: keyword
+          description: new process permitted capability map
+        - name: old-enabled
+          type: keyword
+          description: present TTY audit enabled setting
+        - name: oauid
+          type: keyword
+          description: object's login user ID
+        - name: old
+          type: keyword
+          description: old value
+        - name: banners
+          type: keyword
+          description: banners used on printed page
+        - name: feature
+          type: keyword
+          description: kernel feature being changed
+        - name: vm-ctx
+          type: keyword
+          description: the vm's context string
+        - name: opid
+          type: keyword
+          description: object's process ID
+        - name: seperms
+          type: keyword
+          description: SELinux permissions being used
+        - name: seresult
+          type: keyword
+          description: SELinux AVC decision granted/denied
+        - name: new-rng
+          type: keyword
+          description: device name of rng being added from a vm
+        - name: old-net
+          type: keyword
+          description: present MAC address assigned to vm
+        - name: sigev_signo
+          type: keyword
+          description: signal number
+        - name: ino
+          type: keyword
+          description: inode number
+        - name: old_enforcing
+          type: keyword
+          description: old MAC enforcement status
+        - name: old-vcpu
+          type: keyword
+          description: present number of CPU cores
+        - name: range
+          type: keyword
+          description: user's SE Linux range
+        - name: res
+          type: keyword
+          description: result of the audited operation(success/fail)
+        - name: added
+          type: keyword
+          description: number of new files detected
+        - name: fam
+          type: keyword
+          description: socket address family
+        - name: nlnk-pid
+          type: keyword
+          description: pid of netlink packet sender
+        - name: subj
+          type: keyword
+          description: lspp subject's context string
+        - name: a[0-3]
+          type: keyword
+          description: the arguments to a syscall
+        - name: cgroup
+          type: keyword
+          description: path to cgroup in sysfs
+        - name: kernel
+          type: keyword
+          description: kernel's version number
+        - name: ocomm
+          type: keyword
+          description: object's command line name
+        - name: new-net
+          type: keyword
+          description: MAC address being assigned to vm
+        - name: permissive
+          type: keyword
+          description: SELinux is in permissive mode
+        - name: class
+          type: keyword
+          description: resource class assigned to vm
+        - name: compat
+          type: keyword
+          description: is_compat_task result
+        - name: fi
+          type: keyword
+          description: file assigned inherited capability map
+        - name: changed
+          type: keyword
+          description: number of changed files
+        - name: msg
+          type: keyword
+          description: the payload of the audit record
+        - name: dport
+          type: keyword
+          description: remote port number
+        - name: new-seuser
+          type: keyword
+          description: new SELinux user
+        - name: invalid_context
+          type: keyword
+          description: SELinux context
+        - name: dmac
+          type: keyword
+          description: remote MAC address
+        - name: ipx-net
+          type: keyword
+          description: IPX network number
+        - name: iuid
+          type: keyword
+          description: ipc object's user ID
+        - name: macproto
+          type: keyword
+          description: ethernet packet type ID field
+        - name: obj
+          type: keyword
+          description: lspp object context string
+        - name: a[[:digit:]+]\[.*\]
+          type: keyword
+          description: the arguments to the execve syscall
+        - name: ipid
+          type: keyword
+          description: IP datagram fragment identifier
+        - name: new-fs
+          type: keyword
+          description: file system being added to vm
+        - name: vm-pid
+          type: keyword
+          description: vm's process ID
+        - name: cap_pi
+          type: keyword
+          description: process inherited capability map
+        - name: old-auid
+          type: keyword
+          description: previous auid value
+        - name: oses
+          type: keyword
+          description: object's session ID
+        - name: fd
+          type: keyword
+          description: file descriptor number
+        - name: igid
+          type: keyword
+          description: ipc object's group ID
+        - name: new-disk
+          type: keyword
+          description: disk being added to vm
+        - name: parent
+          type: keyword
+          description: the inode number of the parent file
+        - name: len
+          type: keyword
+          description: length
+        - name: oflag
+          type: keyword
+          description: open syscall flags
+        - name: uuid
+          type: keyword
+          description: a UUID
+        - name: code
+          type: keyword
+          description: seccomp action code
+        - name: nlnk-grp
+          type: keyword
+          description: netlink group number
+        - name: cap_fp
+          type: keyword
+          description: file permitted capability map
+        - name: new-mem
+          type: keyword
+          description: new amount of memory in KB
+        - name: seperm
+          type: keyword
+          description: SELinux permission being decided on
+        - name: enforcing
+          type: keyword
+          description: new MAC enforcement status
+        - name: new-chardev
+          type: keyword
+          description: new character device being assigned to vm
+        - name: old-rng
+          type: keyword
+          description: device name of rng being removed from a vm
+        - name: outif
+          type: keyword
+          description: out interface number
+        - name: cmd
+          type: keyword
+          description: command being executed
+        - name: hook
+          type: keyword
+          description: netfilter hook that packet came from
+        - name: new-level
+          type: keyword
+          description: new run level
+        - name: sauid
+          type: keyword
+          description: sent login user ID
+        - name: sig
+          type: keyword
+          description: signal number
+        - name: audit_backlog_wait_time
+          type: keyword
+          description: audit system's backlog wait time
+        - name: printer
+          type: keyword
+          description: printer name
+        - name: old-mem
+          type: keyword
+          description: present amount of memory in KB
+        - name: perm
+          type: keyword
+          description: the file permission being used
+        - name: old_pi
+          type: keyword
+          description: old process inherited capability map
+        - name: state
+          type: keyword
+          description: audit daemon configuration resulting state
+        - name: format
+          type: keyword
+          description: audit log's format
+        - name: new_gid
+          type: keyword
+          description: new group ID being assigned
+        - name: tcontext
+          type: keyword
+          description: the target's or object's context string
+        - name: maj
+          type: keyword
+          description: device major number
+        - name: watch
+          type: keyword
+          description: file name in a watch record
+        - name: device
+          type: keyword
+          description: device name
+        - name: grp
+          type: keyword
+          description: group name
+        - name: bool
+          type: keyword
+          description: name of SELinux boolean
+        - name: icmp_type
+          type: keyword
+          description: type of icmp message
+        - name: new_lock
+          type: keyword
+          description: new value of feature lock
+        - name: old_prom
+          type: keyword
+          description: network promiscuity flag
+        - name: acl
+          type: keyword
+          description: access mode of resource assigned to vm
+        - name: ip
+          type: keyword
+          description: network address of a printer
+        - name: new_pi
+          type: keyword
+          description: new process inherited capability map
+        - name: default-context
+          type: keyword
+          description: default MAC context
+        - name: inode_gid
+          type: keyword
+          description: group ID of the inode's owner
+        - name: new-log_passwd
+          type: keyword
+          description: new value for TTY password logging
+        - name: new_pe
+          type: keyword
+          description: new process effective capability map
+        - name: selected-context
+          type: keyword
+          description: new MAC context assigned to session
+        - name: cap_fver
+          type: keyword
+          description: file system capabilities version number
+        - name: file
+          type: keyword
+          description: file name
+        - name: net
+          type: keyword
+          description: network MAC address
+        - name: virt
+          type: keyword
+          description: kind of virtualization being referenced
+        - name: cap_pp
+          type: keyword
+          description: process permitted capability map
+        - name: old-range
+          type: keyword
+          description: present SELinux range
+        - name: resrc
+          type: keyword
+          description: resource being assigned
+        - name: new-range
+          type: keyword
+          description: new SELinux range
+        - name: obj_gid
+          type: keyword
+          description: group ID of object
+        - name: proto
+          type: keyword
+          description: network protocol
+        - name: old-disk
+          type: keyword
+          description: disk being removed from vm
+        - name: audit_failure
+          type: keyword
+          description: audit system's failure mode
+        - name: inif
+          type: keyword
+          description: in interface number
+        - name: vm
+          type: keyword
+          description: virtual machine name
+        - name: flags
+          type: keyword
+          description: mmap syscall flags
+        - name: nlnk-fam
+          type: keyword
+          description: netlink protocol number
+        - name: old-fs
+          type: keyword
+          description: file system being removed from vm
+        - name: old-ses
+          type: keyword
+          description: previous ses value
+        - name: seqno
+          type: keyword
+          description: sequence number
+        - name: fver
+          type: keyword
+          description: file system capabilities version number
+        - name: qbytes
+          type: keyword
+          description: ipc objects quantity of bytes
+        - name: seuser
+          type: keyword
+          description: user's SE Linux user acct
+        - name: cap_fe
+          type: keyword
+          description: file assigned effective capability map
+        - name: new-vcpu
+          type: keyword
+          description: new number of CPU cores
+        - name: old-level
+          type: keyword
+          description: old run level
+        - name: old_pp
+          type: keyword
+          description: old process permitted capability map
+        - name: daddr
+          type: keyword
+          description: remote IP address
+        - name: old-role
+          type: keyword
+          description: present SELinux role
+        - name: ioctlcmd
+          type: keyword
+          description: The request argument to the ioctl syscall
+        - name: smac
+          type: keyword
+          description: local MAC address
+        - name: apparmor
+          type: keyword
+          description: apparmor event information
+        - name: fe
+          type: keyword
+          description: file assigned effective capability map
+        - name: perm_mask
+          type: keyword
+          description: file permission mask that triggered a watch event
+        - name: ses
+          type: keyword
+          description: login session ID
+        - name: cap_fi
+          type: keyword
+          description: file inherited capability map
+        - name: obj_uid
+          type: keyword
+          description: user ID of object
+        - name: reason
+          type: keyword
+          description: text string denoting a reason for the action
+        - name: list
+          type: keyword
+          description: the audit system's filter list number
+        - name: old_lock
+          type: keyword
+          description: present value of feature lock
+        - name: bus
+          type: keyword
+          description: name of subsystem bus a vm resource belongs to
+        - name: old_pe
+          type: keyword
+          description: old process effective capability map
+        - name: new-role
+          type: keyword
+          description: new SELinux role
+        - name: prom
+          type: keyword
+          description: network promiscuity flag
+        - name: uri
+          type: keyword
+          description: URI pointing to a printer
+        - name: audit_enabled
+          type: keyword
+          description: audit systems's enable/disable status
+        - name: old-log_passwd
+          type: keyword
+          description: present value for TTY password logging
+        - name: old-seuser
+          type: keyword
+          description: present SELinux user
+        - name: per
+          type: keyword
+          description: linux personality
+        - name: scontext
+          type: keyword
+          description: the subject's context string
+        - name: tclass
+          type: keyword
+          description: target's object classification
+        - name: ver
+          type: keyword
+          description: audit daemon's version number
+        - name: new
+          type: keyword
+          description: value being set in feature
+        - name: val
+          type: keyword
+          description: generic value associated with the operation
+        - name: img-ctx
+          type: keyword
+          description: the vm's disk image context string
+        - name: old-chardev
+          type: keyword
+          description: present character device assigned to vm
+        - name: old_val
+          type: keyword
+          description: current value of SELinux boolean
+        - name: success
+          type: keyword
+          description: whether the syscall was successful or not
+        - name: inode_uid
+          type: keyword
+          description: user ID of the inode's owner
+        - name: removed
+          type: keyword
+          description: number of deleted files
+      - name: messages
+        type: text
+        description: >
+          An ordered list of the raw messages received from the kernel that
+          were used to construct this document. This field is present if an error
+          occurred processing the data or if `kernel.include_raw_message` is set
+          in the config.
+      - name: warnings
+        type: keyword
+        description: >
+          The warnings generated by the Beat during the construction of the event.
+          These are disabled by default and are used for development and debug
+          purposes only.
+      - name: geoip
+        type: group
+        description: >
+          Contains GeoIP information gathered based on the `os_events.audit.addr`
+          field. Only present if the GeoIP Elasticsearch plugin is available and
+          used.
+        fields:
+          - name: continent_name
+            type: keyword
+            description: >
+              The name of the continent.
+          - name: city_name
+            type: keyword
+            description: >
+              The name of the city.
+          - name: region_name
+            type: keyword
+            description: >
+              The name of the region.
+          - name: country_iso_code
+            type: keyword
+            description: >
+              Country ISO code.
+          - name: location
+            type: geo_point
+            description: >
+              The longitude and latitude.
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/dashboard/AV0tXkjYg1PYniApZbKP.json b/auditbeat/module/auditd/_meta/kibana/5.x/dashboard/AV0tXkjYg1PYniApZbKP.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/dashboard/AV0tXkjYg1PYniApZbKP.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/dashboard/AV0tXkjYg1PYniApZbKP.json
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tV05vg1PYniApZbA2.json b/auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tV05vg1PYniApZbA2.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tV05vg1PYniApZbA2.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tV05vg1PYniApZbA2.json
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tVcg6g1PYniApZa-v.json b/auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tVcg6g1PYniApZa-v.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tVcg6g1PYniApZa-v.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tVcg6g1PYniApZa-v.json
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tW0djg1PYniApZbGL.json b/auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tW0djg1PYniApZbGL.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tW0djg1PYniApZbGL.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tW0djg1PYniApZbGL.json
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tWL-Yg1PYniApZbCs.json b/auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tWL-Yg1PYniApZbCs.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tWL-Yg1PYniApZbCs.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tWL-Yg1PYniApZbCs.json
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tWSdXg1PYniApZbDU.json b/auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tWSdXg1PYniApZbDU.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tWSdXg1PYniApZbDU.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tWSdXg1PYniApZbDU.json
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tY6jwg1PYniApZbRY.json b/auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tY6jwg1PYniApZbRY.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tY6jwg1PYniApZbRY.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tY6jwg1PYniApZbRY.json
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tav8Ag1PYniApZbbK.json b/auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tav8Ag1PYniApZbbK.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tav8Ag1PYniApZbbK.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tav8Ag1PYniApZbbK.json
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tbcUdg1PYniApZbe1.json b/auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tbcUdg1PYniApZbe1.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tbcUdg1PYniApZbe1.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tbcUdg1PYniApZbe1.json
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tc_xZg1PYniApZbnL.json b/auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tc_xZg1PYniApZbnL.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tc_xZg1PYniApZbnL.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tc_xZg1PYniApZbnL.json
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0te0TCg1PYniApZbw9.json b/auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0te0TCg1PYniApZbw9.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0te0TCg1PYniApZbw9.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0te0TCg1PYniApZbw9.json
diff --git a/auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tes4Eg1PYniApZbwV.json b/auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tes4Eg1PYniApZbwV.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/5.x/visualization/AV0tes4Eg1PYniApZbwV.json
rename to auditbeat/module/auditd/_meta/kibana/5.x/visualization/AV0tes4Eg1PYniApZbwV.json
diff --git a/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-file-integrity.json b/auditbeat/module/auditd/_meta/kibana/default/dashboard/auditbeat-file-integrity.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-file-integrity.json
rename to auditbeat/module/auditd/_meta/kibana/default/dashboard/auditbeat-file-integrity.json
diff --git a/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-executions.json b/auditbeat/module/auditd/_meta/kibana/default/dashboard/auditbeat-kernel-executions.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-executions.json
rename to auditbeat/module/auditd/_meta/kibana/default/dashboard/auditbeat-kernel-executions.json
diff --git a/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-overview.json b/auditbeat/module/auditd/_meta/kibana/default/dashboard/auditbeat-kernel-overview.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-overview.json
rename to auditbeat/module/auditd/_meta/kibana/default/dashboard/auditbeat-kernel-overview.json
diff --git a/auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-sockets.json b/auditbeat/module/auditd/_meta/kibana/default/dashboard/auditbeat-kernel-sockets.json
similarity index 100%
rename from auditbeat/module/audit/_meta/kibana/default/dashboard/auditbeat-kernel-sockets.json
rename to auditbeat/module/auditd/_meta/kibana/default/dashboard/auditbeat-kernel-sockets.json
diff --git a/auditbeat/module/audit/kernel/audit_linux.go b/auditbeat/module/auditd/audit_linux.go
similarity index 85%
rename from auditbeat/module/audit/kernel/audit_linux.go
rename to auditbeat/module/auditd/audit_linux.go
index 1d954bc10bd..0f4d53bbd00 100644
--- a/auditbeat/module/audit/kernel/audit_linux.go
+++ b/auditbeat/module/auditd/audit_linux.go
@@ -1,4 +1,4 @@
-package kernel
+package auditd
 
 import (
 	"os"
@@ -21,21 +21,25 @@ import (
 )
 
 const (
-	metricsetName = "audit.kernel"
-	logPrefix     = "[" + metricsetName + "]"
+	logPrefix = "[" + moduleName + "]"
+
+	// Use old namespace for data until we do some field renaming for GA.
+	namespace = "audit.kernel"
 )
 
 var (
-	debugf = logp.MakeDebug(metricsetName)
+	debugf = logp.MakeDebug(moduleName)
 
-	auditMetrics = monitoring.Default.NewRegistry(metricsetName)
-	lostMetric   = monitoring.NewInt(auditMetrics, "lost")
+	auditdMetrics = monitoring.Default.NewRegistry(moduleName)
+	lostMetric    = monitoring.NewInt(auditdMetrics, "lost")
 )
 
 func init() {
-	if err := mb.Registry.AddMetricSet("audit", "kernel", New, parse.EmptyHostParser); err != nil {
-		panic(err)
-	}
+	mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
+		mb.DefaultMetricSet(),
+		mb.WithHostParser(parse.EmptyHostParser),
+		mb.WithNamespace(namespace),
+	)
 }
 
 // MetricSet listens for audit messages from the Linux kernel using a netlink
@@ -50,19 +54,19 @@ type MetricSet struct {
 
 // New constructs a new MetricSet.
 func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
-	cfgwarn.Beta("The %v metricset is a beta feature", metricsetName)
+	cfgwarn.Beta("The %v module is a beta feature", moduleName)
 
 	config := defaultConfig
 	if err := base.Module().UnpackConfig(&config); err != nil {
-		return nil, errors.Wrap(err, "failed to unpack the audit.kernel config")
+		return nil, errors.Wrap(err, "failed to unpack the auditd config")
 	}
 
 	_, _, kernel, _ := kernelVersion()
-	debugf("the metricset is running as euid=%v on kernel=%v", os.Geteuid(), kernel)
+	debugf("auditd module is running as euid=%v on kernel=%v", os.Geteuid(), kernel)
 
 	client, err := newAuditClient(&config)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to create audit.kernel client")
+		return nil, errors.Wrap(err, "failed to create audit client")
 	}
 
 	lostMetric.Set(0)
@@ -85,11 +89,11 @@ func newAuditClient(c *Config) (*libaudit.AuditClient, error) {
 		// using unicast.
 		if rules, _ := c.rules(); len(rules) == 0 && hasMulticast {
 			c.SocketType = "multicast"
-			logp.Info("%v kernel.socket_type=multicast will be used.", logPrefix)
+			logp.Info("%v socket_type=multicast will be used.", logPrefix)
 		}
 	case "multicast":
 		if !hasMulticast {
-			logp.Warn("%v kernel.socket_type is set to multicast "+
+			logp.Warn("%v socket_type is set to multicast "+
 				"but based on the kernel version multicast audit subscriptions "+
 				"are not supported. unicast will be used instead.", logPrefix)
 			c.SocketType = "unicast"
@@ -107,7 +111,7 @@ func newAuditClient(c *Config) (*libaudit.AuditClient, error) {
 
 // Run initializes the audit client and receives audit messages from the
 // kernel until the reporter's done channel is closed.
-func (ms *MetricSet) Run(reporter mb.PushReporter) {
+func (ms *MetricSet) Run(reporter mb.PushReporterV2) {
 	defer ms.client.Close()
 
 	if err := ms.addRules(reporter); err != nil {
@@ -128,24 +132,19 @@ func (ms *MetricSet) Run(reporter mb.PushReporter) {
 		case <-reporter.Done():
 			return
 		case msgs := <-out:
-			event, err := buildMapStr(msgs, ms.config)
-			if err != nil {
-				reporter.ErrorWith(err, event)
-			} else {
-				reporter.Event(event)
-			}
+			reporter.Event(buildMetricbeatEvent(msgs, ms.config))
 		}
 	}
 }
 
-func (ms *MetricSet) addRules(reporter mb.PushReporter) error {
+func (ms *MetricSet) addRules(reporter mb.PushReporterV2) error {
 	rules, err := ms.config.rules()
 	if err != nil {
 		return errors.Wrap(err, "failed to add rules")
 	}
 
 	if len(rules) == 0 {
-		logp.Info("%v No audit kernel.rules were specified.", logPrefix)
+		logp.Info("%v No audit_rules were specified.", logPrefix)
 		return nil
 	}
 
@@ -167,13 +166,13 @@ func (ms *MetricSet) addRules(reporter mb.PushReporter) error {
 	for _, rule := range rules {
 		if err = client.AddRule(rule.data); err != nil {
 			// Treat rule add errors as warnings and continue.
-			err = errors.Wrapf(err, "failed to add kernel rule '%v'", rule.flags)
+			err = errors.Wrapf(err, "failed to add audit rule '%v'", rule.flags)
 			reporter.Error(err)
 			logp.Warn("%v %v", logPrefix, err)
 			failCount++
 		}
 	}
-	logp.Info("%v Successfully added %d of %d kernel audit rules.",
+	logp.Info("%v Successfully added %d of %d audit rules.",
 		logPrefix, len(rules)-failCount, len(rules))
 	return nil
 }
@@ -292,28 +291,32 @@ func filterRecordType(typ auparse.AuditMessageType) bool {
 	return false
 }
 
-func buildMapStr(msgs []*auparse.AuditMessage, config Config) (common.MapStr, error) {
+func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event {
 	event, err := aucoalesce.CoalesceMessages(msgs)
 	if err != nil {
 		// Add messages on error so that it's possible to debug the problem.
-		m := common.MapStr{}
-		addMessages(msgs, m)
-		return m, err
+		out := mb.Event{MetricSetFields: common.MapStr{}}
+		addMessages(msgs, out.MetricSetFields)
+		return out
 	}
 
 	if config.ResolveIDs {
 		aucoalesce.ResolveIDs(event)
 	}
 
-	m := common.MapStr{
-		"@timestamp":  event.Timestamp,
-		"sequence":    event.Sequence,
-		"category":    event.Category.String(),
-		"record_type": strings.ToLower(event.Type.String()),
-		"result":      event.Result,
-		"session":     event.Session,
-		"data":        event.Data,
+	out := mb.Event{
+		Timestamp: event.Timestamp,
+		MetricSetFields: common.MapStr{
+			"sequence":    event.Sequence,
+			"category":    event.Category.String(),
+			"record_type": strings.ToLower(event.Type.String()),
+			"result":      event.Result,
+			"session":     event.Session,
+			"data":        event.Data,
+		},
 	}
+
+	m := out.MetricSetFields
 	if event.Subject.Primary != "" {
 		m.Put("actor.primary", event.Subject.Primary)
 	}
@@ -365,7 +368,7 @@ func buildMapStr(msgs []*auparse.AuditMessage, config Config) (common.MapStr, er
 		addMessages(msgs, m)
 	}
 
-	return m, nil
+	return out
 }
 
 func addMessages(msgs []*auparse.AuditMessage, m common.MapStr) {
diff --git a/auditbeat/module/audit/kernel/audit_linux_test.go b/auditbeat/module/auditd/audit_linux_test.go
similarity index 60%
rename from auditbeat/module/audit/kernel/audit_linux_test.go
rename to auditbeat/module/auditd/audit_linux_test.go
index a34e151fa9e..71b4f60691c 100644
--- a/auditbeat/module/audit/kernel/audit_linux_test.go
+++ b/auditbeat/module/auditd/audit_linux_test.go
@@ -1,4 +1,4 @@
-package kernel
+package auditd
 
 import (
 	"flag"
@@ -10,8 +10,10 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
+	"github.com/elastic/beats/auditbeat/core"
 	mbtest "github.com/elastic/beats/metricbeat/mb/testing"
 	"github.com/elastic/go-libaudit"
+	"github.com/elastic/procfs"
 )
 
 // Specify the -audit flag when running these tests to interact with the real
@@ -31,46 +33,44 @@ func TestData(t *testing.T) {
 		returnMessage(userLoginMsg)
 
 	// Replace the default AuditClient with a mock.
-	ms := mbtest.NewPushMetricSet(t, getConfig())
+	ms := mbtest.NewPushMetricSetV2(t, getConfig())
 	auditMetricSet := ms.(*MetricSet)
 	auditMetricSet.client.Close()
 	auditMetricSet.client = &libaudit.AuditClient{Netlink: mock}
 
-	events, errs := mbtest.RunPushMetricSet(time.Second, ms)
-	if len(errs) > 0 {
-		t.Fatalf("received errors: %+v", errs)
+	events := mbtest.RunPushMetricSetV2(time.Second, ms)
+	for _, e := range events {
+		if e.Error != nil {
+			t.Fatalf("received error: %+v", e.Error)
+		}
 	}
 	if len(events) == 0 {
 		t.Fatal("received no events")
 	}
 
-	fullEvent := mbtest.CreateFullEvent(ms, events[0])
-	mbtest.WriteEventToDataJSON(t, fullEvent)
+	beatEvent := mbtest.StandardizeEvent(ms, events[0], core.AddDatasetToEvent)
+	mbtest.WriteEventToDataJSON(t, beatEvent)
 }
 
 func getConfig() map[string]interface{} {
 	return map[string]interface{}{
-		"module":              "audit",
-		"metricsets":          []string{"kernel"},
-		"kernel.failure_mode": "log",
-		"kernel.socket_type":  "unicast",
+		"module":       "auditd",
+		"failure_mode": "log",
+		"socket_type":  "unicast",
 	}
 }
 
-func TestMulticastClient(t *testing.T) {
+func TestUnicastClient(t *testing.T) {
 	if !*audit {
 		t.Skip("-audit was not specified")
 	}
 
-	if !hasMulticastSupport() {
-		t.Skip("no multicast support")
-	}
+	FailIfAuditdIsRunning(t)
 
 	c := map[string]interface{}{
-		"module":             "audit",
-		"metricsets":         []string{"kernel"},
-		"kernel.socket_type": "multicast",
-		"kernel.audit_rules": fmt.Sprintf(`
+		"module":      "auditd",
+		"socket_type": "unicast",
+		"audit_rules": fmt.Sprintf(`
 		   -a always,exit -F arch=b64 -F ppid=%d -S execve -k exec
 		`, os.Getpid()),
 	}
@@ -79,26 +79,42 @@ func TestMulticastClient(t *testing.T) {
 	// PPID filter we applied to the rule.
 	time.AfterFunc(time.Second, func() { exec.Command("cat", "/proc/self/status").Output() })
 
-	ms := mbtest.NewPushMetricSet(t, c)
-	events, errs := mbtest.RunPushMetricSet(5*time.Second, ms)
-	if len(errs) > 0 {
-		t.Fatalf("received errors: %+v", errs)
+	ms := mbtest.NewPushMetricSetV2(t, c)
+	events := mbtest.RunPushMetricSetV2(5*time.Second, ms)
+	for _, e := range events {
+		t.Log(e)
+
+		if e.Error != nil {
+			t.Errorf("received error: %+v", e.Error)
+		}
 	}
 
-	// The number of events is non-deterministic so there is no validation.
-	t.Logf("received %d messages via multicast", len(events))
+	for _, e := range events {
+		v, err := e.MetricSetFields.GetValue("thing.primary")
+		if err == nil {
+			if exe, ok := v.(string); ok && exe == "/bin/cat" {
+				return
+			}
+		}
+	}
+	assert.Fail(t, "expected an execve event for /bin/cat")
 }
 
-func TestUnicastClient(t *testing.T) {
+func TestMulticastClient(t *testing.T) {
 	if !*audit {
 		t.Skip("-audit was not specified")
 	}
 
+	if !hasMulticastSupport() {
+		t.Skip("no multicast support")
+	}
+
+	FailIfAuditdIsRunning(t)
+
 	c := map[string]interface{}{
-		"module":             "audit",
-		"metricsets":         []string{"kernel"},
-		"kernel.socket_type": "unicast",
-		"kernel.audit_rules": fmt.Sprintf(`
+		"module":      "auditd",
+		"socket_type": "multicast",
+		"audit_rules": fmt.Sprintf(`
 		   -a always,exit -F arch=b64 -F ppid=%d -S execve -k exec
 		`, os.Getpid()),
 	}
@@ -107,14 +123,16 @@ func TestUnicastClient(t *testing.T) {
 	// PPID filter we applied to the rule.
 	time.AfterFunc(time.Second, func() { exec.Command("cat", "/proc/self/status").Output() })
 
-	ms := mbtest.NewPushMetricSet(t, c)
-	events, errs := mbtest.RunPushMetricSet(5*time.Second, ms)
-	if len(errs) > 0 {
-		t.Fatalf("received errors: %+v", errs)
+	ms := mbtest.NewPushMetricSetV2(t, c)
+	events := mbtest.RunPushMetricSetV2(5*time.Second, ms)
+	for _, e := range events {
+		if e.Error != nil {
+			t.Fatalf("received error: %+v", e.Error)
+		}
 	}
 
-	t.Log(events)
-	assert.Len(t, events, 1)
+	// The number of events is non-deterministic so there is no validation.
+	t.Logf("received %d messages via multicast", len(events))
 }
 
 func TestKernelVersion(t *testing.T) {
@@ -124,3 +142,25 @@ func TestKernelVersion(t *testing.T) {
 	}
 	t.Logf("major=%v, minor=%v, full=%v", major, minor, full)
 }
+
+func FailIfAuditdIsRunning(t testing.TB) {
+	t.Helper()
+
+	procs, err := procfs.AllProcs()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, proc := range procs {
+		comm, err := proc.Comm()
+		if err != nil {
+			t.Error(err)
+			continue
+		}
+
+		if comm == "auditd" {
+			t.Fatalf("auditd is running (pid=%d). This test cannot run while "+
+				"auditd is running.", proc.PID)
+		}
+	}
+}
diff --git a/auditbeat/module/auditd/audit_unsupported.go b/auditbeat/module/auditd/audit_unsupported.go
new file mode 100644
index 00000000000..826369816bd
--- /dev/null
+++ b/auditbeat/module/auditd/audit_unsupported.go
@@ -0,0 +1,22 @@
+// +build !linux
+
+package auditd
+
+import (
+	"github.com/pkg/errors"
+
+	"github.com/elastic/beats/metricbeat/mb"
+	"github.com/elastic/beats/metricbeat/mb/parse"
+)
+
+func init() {
+	mb.Registry.MustAddMetricSet(metricsetName, metricsetName, New,
+		mb.DefaultMetricSet(),
+		mb.WithHostParser(parse.EmptyHostParser),
+	)
+}
+
+// New constructs a new MetricSet.
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+	return nil, errors.Errorf("the %v module is only supported on Linux", metricsetName)
+}
diff --git a/auditbeat/module/audit/kernel/config.go b/auditbeat/module/auditd/config.go
similarity index 65%
rename from auditbeat/module/audit/kernel/config.go
rename to auditbeat/module/auditd/config.go
index 885ab47d4b3..06e2e1ee95a 100644
--- a/auditbeat/module/audit/kernel/config.go
+++ b/auditbeat/module/auditd/config.go
@@ -1,4 +1,4 @@
-package kernel
+package auditd
 
 import (
 	"bufio"
@@ -13,21 +13,26 @@ import (
 	"github.com/elastic/go-libaudit/rule/flags"
 )
 
+const (
+	moduleName    = "auditd"
+	metricsetName = "auditd"
+)
+
 // Config defines the kernel metricset's possible configuration options.
 type Config struct {
-	ResolveIDs   bool   `config:"kernel.resolve_ids"`         // Resolve UID/GIDs to names.
-	FailureMode  string `config:"kernel.failure_mode"`        // Failure mode for the kernel (silent, log, panic).
-	BacklogLimit uint32 `config:"kernel.backlog_limit"`       // Max number of message to buffer in the kernel.
-	RateLimit    uint32 `config:"kernel.rate_limit"`          // Rate limit in messages/sec of messages from kernel.
-	RawMessage   bool   `config:"kernel.include_raw_message"` // Include the list of raw audit messages in the event.
-	Warnings     bool   `config:"kernel.include_warnings"`    // Include warnings in the event (for dev/debug purposes only).
-	RulesBlob    string `config:"kernel.audit_rules"`         // Audit rules. One rule per line.
-	SocketType   string `config:"kernel.socket_type"`         // Socket type to use with the kernel (unicast or multicast).
+	ResolveIDs   bool   `config:"resolve_ids"`         // Resolve UID/GIDs to names.
+	FailureMode  string `config:"failure_mode"`        // Failure mode for the kernel (silent, log, panic).
+	BacklogLimit uint32 `config:"backlog_limit"`       // Max number of message to buffer in the auditd.
+	RateLimit    uint32 `config:"rate_limit"`          // Rate limit in messages/sec of messages from auditd.
+	RawMessage   bool   `config:"include_raw_message"` // Include the list of raw audit messages in the event.
+	Warnings     bool   `config:"include_warnings"`    // Include warnings in the event (for dev/debug purposes only).
+	RulesBlob    string `config:"audit_rules"`         // Audit rules. One rule per line.
+	SocketType   string `config:"socket_type"`         // Socket type to use with the kernel (unicast or multicast).
 
 	// Tuning options (advanced, use with care)
-	ReassemblerMaxInFlight uint32        `config:"kernel.reassembler.max_in_flight"`
-	ReassemblerTimeout     time.Duration `config:"kernel.reassembler.timeout"`
-	StreamBufferQueueSize  uint32        `config:"kernel.reassembler.queue_size"`
+	ReassemblerMaxInFlight uint32        `config:"reassembler.max_in_flight"`
+	ReassemblerTimeout     time.Duration `config:"reassembler.timeout"`
+	StreamBufferQueueSize  uint32        `config:"reassembler.queue_size"`
 }
 
 type auditRule struct {
@@ -51,7 +56,7 @@ func (c *Config) Validate() error {
 	switch c.SocketType {
 	case "", "unicast", "multicast":
 	default:
-		errs = append(errs, errors.Errorf("invalid kernel.socket_type "+
+		errs = append(errs, errors.Errorf("invalid socket_type "+
 			"'%v' (use unicast, multicast, or don't set a value)", c.SocketType))
 	}
 
@@ -97,7 +102,7 @@ func (c Config) rules() ([]auditRule, error) {
 	}
 
 	if len(errs) > 0 {
-		return nil, errors.Wrap(errs.Err(), "invalid kernel.audit_rules")
+		return nil, errors.Wrap(errs.Err(), "invalid audit_rules")
 	}
 	return auditRules, nil
 }
@@ -111,7 +116,7 @@ func (c Config) failureMode() (uint32, error) {
 	case "panic":
 		return 2, nil
 	default:
-		return 0, errors.Errorf("invalid kernel.failure_mode '%v' (use silent, log, or panic)", c.FailureMode)
+		return 0, errors.Errorf("invalid failure_mode '%v' (use silent, log, or panic)", c.FailureMode)
 	}
 }
 
diff --git a/auditbeat/module/audit/kernel/config_linux_test.go b/auditbeat/module/auditd/config_linux_test.go
similarity index 95%
rename from auditbeat/module/audit/kernel/config_linux_test.go
rename to auditbeat/module/auditd/config_linux_test.go
index fda2a42c943..a5d48b97fe1 100644
--- a/auditbeat/module/audit/kernel/config_linux_test.go
+++ b/auditbeat/module/auditd/config_linux_test.go
@@ -1,4 +1,4 @@
-package kernel
+package auditd
 
 import (
 	"testing"
@@ -10,7 +10,7 @@ import (
 
 func TestConfigValidate(t *testing.T) {
 	data := `
-kernel.audit_rules: |
+audit_rules: |
   # Comments and empty lines are ignored.
   -w /etc/passwd -p wa -k auth
 
@@ -32,7 +32,7 @@ kernel.audit_rules: |
 
 func TestConfigValidateWithError(t *testing.T) {
 	data := `
-kernel.audit_rules: |
+audit_rules: |
   -x bad -F flag
   -a always,exit -w /etc/passwd
   -a always,exit -F arch=b64 -S fake -k exec`
@@ -46,7 +46,7 @@ kernel.audit_rules: |
 
 func TestConfigValidateWithDuplicates(t *testing.T) {
 	data := `
-kernel.audit_rules: |
+audit_rules: |
   -w /etc/passwd -p rwxa -k auth
   -w /etc/passwd -k auth`
 
diff --git a/auditbeat/module/auditd/doc.go b/auditbeat/module/auditd/doc.go
new file mode 100644
index 00000000000..b99d21dc16a
--- /dev/null
+++ b/auditbeat/module/auditd/doc.go
@@ -0,0 +1,3 @@
+// Package auditd is a metricset that subscribes to the Linux Audit Framework
+// to receive audit events from the the kernel.
+package auditd
diff --git a/auditbeat/module/audit/kernel/mock_linux_test.go b/auditbeat/module/auditd/mock_linux_test.go
similarity index 99%
rename from auditbeat/module/audit/kernel/mock_linux_test.go
rename to auditbeat/module/auditd/mock_linux_test.go
index c27b551b71c..e5708e88c9d 100644
--- a/auditbeat/module/audit/kernel/mock_linux_test.go
+++ b/auditbeat/module/auditd/mock_linux_test.go
@@ -1,4 +1,4 @@
-package kernel
+package auditd
 
 import (
 	"bytes"
diff --git a/auditbeat/module/auditd/module.yml b/auditbeat/module/auditd/module.yml
new file mode 100644
index 00000000000..5f7374a3626
--- /dev/null
+++ b/auditbeat/module/auditd/module.yml
@@ -0,0 +1,9 @@
+dashboards:
+- id:   c0ac2c00-c1c0-11e7-8995-936807a28b16
+  file: auditbeat-kernel-overview.json
+
+- id:   7de391b0-c1ca-11e7-8995-936807a28b16
+  file: auditbeat-kernel-executions.json
+
+- id:   693a5f40-c243-11e7-8692-232bd1143e8a
+  file: auditbeat-kernel-sockets.json
diff --git a/auditbeat/module/file_integrity/_meta/config.yml.tpl b/auditbeat/module/file_integrity/_meta/config.yml.tpl
new file mode 100644
index 00000000000..ccd34efd066
--- /dev/null
+++ b/auditbeat/module/file_integrity/_meta/config.yml.tpl
@@ -0,0 +1,48 @@
+{{ if .reference -}}
+# The file integrity module sends events when files are changed (created,
+# updated, deleted). The events contain file metadata and hashes.
+{{ end -}}
+- module: file_integrity
+  {{ if eq .goos "darwin" -}}
+  paths:
+  - /bin
+  - /usr/bin
+  - /usr/local/bin
+  - /sbin
+  - /usr/sbin
+  - /usr/local/sbin
+  {{ else if eq .goos "windows" -}}
+  paths:
+  - C:/windows
+  - C:/windows/system32
+  - C:/Program Files
+  - C:/Program Files (x86)
+  {{ else -}}
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+  {{ end -}}
+  {{ if .reference }}
+  # Scan over the configured file paths at startup and send events for new or
+  # modified files since the last time Auditbeat was running.
+  scan_at_start: true
+
+  # Average scan rate. This throttles the amount of CPU and I/O that Auditbeat
+  # consumes at startup while scanning. Default is "50 MiB".
+  scan_rate_per_sec: 50 MiB
+
+  # Limit on the size of files that will be hashed. Default is "100 MiB".
+  # Limit on the size of files that will be hashed. Default is "100 MiB".
+  max_file_size: 100 MiB
+
+  # Hash types to compute when the file changes. Supported types are md5, sha1,
+  # sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256,
+  # sha3_384 and sha3_512. Default is sha1.
+  hash_types: [sha1]
+
+  # Detect changes to files included in subdirectories. Disabled by default.
+  recursive: false
+{{- end }}
diff --git a/auditbeat/module/file_integrity/_meta/data.json b/auditbeat/module/file_integrity/_meta/data.json
new file mode 100644
index 00000000000..0338c1d4f55
--- /dev/null
+++ b/auditbeat/module/file_integrity/_meta/data.json
@@ -0,0 +1,30 @@
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "audit": {
+        "file": {
+            "action": [
+                "created"
+            ],
+            "ctime": "2017-12-13T20:58:45.240217481Z",
+            "gid": 1000,
+            "group": "vagrant",
+            "hashed": true,
+            "inode": "38496",
+            "mode": "0600",
+            "mtime": "2017-12-13T20:58:45.240217481Z",
+            "owner": "vagrant",
+            "path": "/tmp/audit-file341509799/file.data",
+            "sha1": "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
+            "size": 11,
+            "type": "file",
+            "uid": 1000
+        }
+    },
+    "beat": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "dataset": {
+        "module": "file_integrity"
+    }
+}
\ No newline at end of file
diff --git a/auditbeat/module/audit/file/_meta/docs.asciidoc b/auditbeat/module/file_integrity/_meta/docs.asciidoc
similarity index 62%
rename from auditbeat/module/audit/file/_meta/docs.asciidoc
rename to auditbeat/module/file_integrity/_meta/docs.asciidoc
index 2e2b54ec3a3..0fc9feaeb33 100644
--- a/auditbeat/module/audit/file/_meta/docs.asciidoc
+++ b/auditbeat/module/file_integrity/_meta/docs.asciidoc
@@ -1,20 +1,20 @@
-=== Audit file metricset
+=== File Integrity Module
 
-The `file` metricset sends events when a file is changed (created, updated, or
-deleted) on disk. The events contain file metadata and hashes.
+The `file_integrity` module sends events when a file is changed (created,
+updated, or deleted) on disk. The events contain file metadata and hashes.
 
-The metricset is implemented for Linux, macOS (Darwin), and Windows.
+The module is implemented for Linux, macOS (Darwin), and Windows.
 
 [float]
 === How it works
 
-This metricset uses features of the operating system to monitor file changes in
-realtime. When the metricset starts it creates a subscription with the OS to
+This module uses features of the operating system to monitor file changes in
+realtime. When the module starts it creates a subscription with the OS to
 receive notifications of changes to the specified files or directories. Upon
-receiving notification of a change the metricset will read the file's metadata
+receiving notification of a change the module will read the file's metadata
 and the compute a hash of the file's contents.
 
-At startup this metricset will perform an initial scan of the configured files
+At startup this module will perform an initial scan of the configured files
 and directories to generate baseline data for the monitored paths and detect
 changes since the last time it was run. It uses locally persisted data in order
 to only send events for new or modified files.
@@ -30,36 +30,36 @@ in rare situations the reported events may have a different ordering than what
 actually happened.
 * Windows - `ReadDirectoryChangesW` is used.
 
-The file metricset should not be used to monitor paths on network file systems.
+The file integrity module should not be used to monitor paths on network file
+systems.
 
 [float]
 === Configuration options
 
-This metricset has some configuration options for tuning its behavior. The
+This module has some configuration options for tuning its behavior. The
 following example shows all configuration options with their default values for
 Linux.
 
 [source,yaml]
 ----
-- module: audit
-  metricsets: [file]
-  file.paths:
+- module: file_integrity
+  paths:
   - /bin
   - /usr/bin
   - /sbin
   - /usr/sbin
   - /etc
-  file.scan_at_start: true
-  file.scan_rate_per_sec: 50 MiB
-  file.max_file_size: 100 MiB
-  file.hash_types: [sha1]
-  file.recursive: false
+  scan_at_start: true
+  scan_rate_per_sec: 50 MiB
+  max_file_size: 100 MiB
+  hash_types: [sha1]
+  recursive: false
 ----
 
-*`file.paths`*:: A list of paths (directories or files) to watch. Globs are
+*`paths`*:: A list of paths (directories or files) to watch. Globs are
 not supported. The specified paths should exist when the metricset is started.
 
-*`file.scan_at_start`*:: A boolean value that controls if {beatname_uc} scans
+*`scan_at_start`*:: A boolean value that controls if {beatname_uc} scans
 over the configured file paths at startup and send events for the files
 that have been modified since the last time {beatname_uc} was running. The
 default value is true.
@@ -68,7 +68,7 @@ This feature depends on data stored locally in `path.data` in order to determine
 if a file has changed. The first time {beatname_uc} runs it will send an event
 for each file it encounters.
 
-*`file.scan_rate_per_sec`*:: When `file.scan_at_start` is enabled this sets an
+*`scan_rate_per_sec`*:: When `scan_at_start` is enabled this sets an
 average read rate defined in bytes per second for the initial scan. This
 throttles the amount of CPU and I/O that {beatname_uc} consumes at startup.
 The default value is "50 MiB". Setting the value to "0" disables throttling.
@@ -76,18 +76,18 @@ For convenience units can be specified as a suffix to the value. The supported
 units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`,
 `pib`, `pb`, `eib`, and `eb`.
 
-*`file.max_file_size`*:: The maximum size of a file in bytes for which
+*`max_file_size`*:: The maximum size of a file in bytes for which
 {beatname_uc} will compute hashes. Files larger than this size will not be
 hashed. The default value is 100 MiB. For convenience units can be specified as
 a suffix to the value. The supported units are `b` (default), `kib`, `kb`, `mib`,
 `mb`, `gib`, `gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
 
-*`file.hash_types`*:: A list of hash types to compute when the file changes.
+*`hash_types`*:: A list of hash types to compute when the file changes.
 The supported hash types are md5, sha1, sha224, sha256, sha384, sha512,
 sha512_224, sha512_256, sha3_224, sha3_256, sha3_384 and sha3_512. The default
 value is sha1.
 
-*`file.recursive`*:: By default, the watches set to the paths specified in
-`file.paths` are not recursive. This means that only changes to the contents
-of this directories are watched. If `file.recursive` is set to `true`, the file
+*`recursive`*:: By default, the watches set to the paths specified in
+`paths` are not recursive. This means that only changes to the contents
+of this directories are watched. If `recursive` is set to `true`, the file
 metric will watch for changes on this directories and all their subdirectories.
diff --git a/auditbeat/module/file_integrity/_meta/fields.yml b/auditbeat/module/file_integrity/_meta/fields.yml
new file mode 100644
index 00000000000..91a8aca6d5e
--- /dev/null
+++ b/auditbeat/module/file_integrity/_meta/fields.yml
@@ -0,0 +1,121 @@
+- key: file_integrity
+  title: File Integrity
+  fields:
+  - name: audit
+    type: group
+    fields:
+    - name: file
+      type: group
+      fields:
+      - name: path
+        type: keyword
+        description: The path to the file.
+
+      - name: target_path
+        type: keyword
+        description: The target path for symlinks.
+
+      - name: action
+        type: keyword
+        example: attributes_modified
+        description: >
+          Action describes the change that triggered the event. The possible
+          values are: attributes_modified, created, deleted, updated, moved, and
+          config_change.
+
+      - name: type
+        type: keyword
+        description: The file type (file, dir, or symlink).
+
+      - name: inode
+        type: keyword
+        description: The inode representing the file in the filesystem.
+
+      - name: uid
+        type: keyword
+        description: The user ID (UID) of the file owner.
+
+      - name: owner
+        type: keyword
+        description: The file owner's username.
+
+      - name: gid
+        type: keyword
+        description: The primary group ID (GID) of the file.
+
+      - name: group
+        type: keyword
+        description: The primary group name of the file.
+
+      - name: sid
+        type: keyword
+        description: The security identifier (SID) of the file owner (Windows only).
+
+      - name: mode
+        type: keyword
+        example: 0640
+        description: The mode of the file in octal representation.
+
+      - name: size
+        type: long
+        description: The file size in bytes (field is only added when `type` is `file`).
+
+      - name: mtime
+        type: date
+        description: The last modified time of the file (time when content was modified).
+
+      - name: ctime
+        type: date
+        description: The last change time of the file (time when metadata was changed).
+
+      - name: hashed
+        type: boolean
+        description: Boolean indicating if the event includes any file hashes.
+
+      - name: md5
+        type: keyword
+        description: MD5 hash of the file.
+
+      - name: sha1
+        type: keyword
+        description: SHA1 hash of the file.
+
+      - name: sha224
+        type: keyword
+        description: SHA224 hash of the file.
+
+      - name: sha256
+        type: keyword
+        description: SHA256 hash of the file.
+
+      - name: sha384
+        type: keyword
+        description: SHA384 hash of the file.
+
+      - name: sha3_224
+        type: keyword
+        description: SHA3_224 hash of the file.
+
+      - name: sha3_256
+        type: keyword
+        description: SHA3_256 hash of the file.
+
+      - name: sha3_384
+        type: keyword
+        description: SHA3_384 hash of the file.
+
+      - name: sha3_512
+        type: keyword
+        description: SHA3_512 hash of the file.
+
+      - name: sha512
+        type: keyword
+        description: SHA512 hash of the file.
+
+      - name: sha512_224
+        type: keyword
+        description: SHA512/224 hash of the file.
+
+      - name: sha512_256
+        type: keyword
+        description: SHA512/256 hash of the file.
diff --git a/auditbeat/module/audit/file/action.go b/auditbeat/module/file_integrity/action.go
similarity index 99%
rename from auditbeat/module/audit/file/action.go
rename to auditbeat/module/file_integrity/action.go
index 64d65a20d43..2420d283375 100644
--- a/auditbeat/module/audit/file/action.go
+++ b/auditbeat/module/file_integrity/action.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"math/bits"
diff --git a/auditbeat/module/audit/file/config.go b/auditbeat/module/file_integrity/config.go
similarity index 73%
rename from auditbeat/module/audit/file/config.go
rename to auditbeat/module/file_integrity/config.go
index 9181da07bb5..c787375d944 100644
--- a/auditbeat/module/audit/file/config.go
+++ b/auditbeat/module/file_integrity/config.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"path/filepath"
@@ -40,18 +40,14 @@ const (
 // Config contains the configuration parameters for the file integrity
 // metricset.
 type Config struct {
-	Paths               []string   `config:"file.paths" validate:"required"`
-	HashTypes           []HashType `config:"file.hash_types"`
-	MaxFileSize         string     `config:"file.max_file_size"`
+	Paths               []string   `config:"paths" validate:"required"`
+	HashTypes           []HashType `config:"hash_types"`
+	MaxFileSize         string     `config:"max_file_size"`
 	MaxFileSizeBytes    uint64     `config:",ignore"`
-	ScanAtStart         bool       `config:"file.scan_at_start"`
-	ScanRatePerSec      string     `config:"file.scan_rate_per_sec"`
+	ScanAtStart         bool       `config:"scan_at_start"`
+	ScanRatePerSec      string     `config:"scan_rate_per_sec"`
 	ScanRateBytesPerSec uint64     `config:",ignore"`
-
-	// Recursive enables recursive monitoring of directories.
-	// XXX: This feature is only implemented in the scanner. It needs to be
-	// implemented in the fsnotify code. Don't use it yet.
-	Recursive bool `config:"file.recursive"`
+	Recursive           bool       `config:"recursive"` // Recursive enables recursive monitoring of directories.
 }
 
 // Validate validates the config data and return an error explaining all the
@@ -78,19 +74,19 @@ nextHash:
 				continue nextHash
 			}
 		}
-		errs = append(errs, errors.Errorf("invalid file.hash_types value '%v'", ht))
+		errs = append(errs, errors.Errorf("invalid hash_types value '%v'", ht))
 	}
 
 	c.MaxFileSizeBytes, err = humanize.ParseBytes(c.MaxFileSize)
 	if err != nil {
-		errs = append(errs, errors.Wrap(err, "invalid file.max_file_size value"))
+		errs = append(errs, errors.Wrap(err, "invalid max_file_size value"))
 	} else if c.MaxFileSizeBytes <= 0 {
-		errs = append(errs, errors.Errorf("file.max_file_size value (%v) must be positive", c.MaxFileSize))
+		errs = append(errs, errors.Errorf("max_file_size value (%v) must be positive", c.MaxFileSize))
 	}
 
 	c.ScanRateBytesPerSec, err = humanize.ParseBytes(c.ScanRatePerSec)
 	if err != nil {
-		errs = append(errs, errors.Wrap(err, "invalid file.scan_rate_per_sec value"))
+		errs = append(errs, errors.Wrap(err, "invalid scan_rate_per_sec value"))
 	}
 
 	return errs.Err()
diff --git a/auditbeat/module/audit/file/config_test.go b/auditbeat/module/file_integrity/config_test.go
similarity index 76%
rename from auditbeat/module/audit/file/config_test.go
rename to auditbeat/module/file_integrity/config_test.go
index 5908428517e..b51fce3b733 100644
--- a/auditbeat/module/audit/file/config_test.go
+++ b/auditbeat/module/file_integrity/config_test.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"os"
@@ -14,10 +14,10 @@ import (
 
 func TestConfig(t *testing.T) {
 	config, err := common.NewConfigFrom(map[string]interface{}{
-		"file.paths":             []string{"/usr/bin"},
-		"file.hash_types":        []string{"md5", "sha256"},
-		"file.max_file_size":     "1 GiB",
-		"file.scan_rate_per_sec": "10MiB",
+		"paths":             []string{"/usr/bin"},
+		"hash_types":        []string{"md5", "sha256"},
+		"max_file_size":     "1 GiB",
+		"scan_rate_per_sec": "10MiB",
 	})
 	if err != nil {
 		t.Fatal(err)
@@ -35,10 +35,10 @@ func TestConfig(t *testing.T) {
 
 func TestConfigInvalid(t *testing.T) {
 	config, err := common.NewConfigFrom(map[string]interface{}{
-		"file.paths":             []string{"/usr/bin"},
-		"file.hash_types":        []string{"crc32", "sha256", "hmac"},
-		"file.max_file_size":     "32 Hz",
-		"file.scan_rate_per_sec": "32mb/sec",
+		"paths":             []string{"/usr/bin"},
+		"hash_types":        []string{"crc32", "sha256", "hmac"},
+		"max_file_size":     "32 Hz",
+		"scan_rate_per_sec": "32mb/sec",
 	})
 	if err != nil {
 		t.Fatal(err)
@@ -66,8 +66,8 @@ func TestConfigInvalid(t *testing.T) {
 
 func TestConfigInvalidMaxFileSize(t *testing.T) {
 	config, err := common.NewConfigFrom(map[string]interface{}{
-		"file.paths":         []string{"/usr/bin"},
-		"file.max_file_size": "0", // Value must be >= 0.
+		"paths":         []string{"/usr/bin"},
+		"max_file_size": "0", // Value must be >= 0.
 	})
 	if err != nil {
 		t.Fatal(err)
@@ -87,7 +87,7 @@ func TestConfigEvalSymlinks(t *testing.T) {
 	defer os.RemoveAll(dir)
 
 	config, err := common.NewConfigFrom(map[string]interface{}{
-		"file.paths": []string{filepath.Join(dir, "link_to_subdir")},
+		"paths": []string{filepath.Join(dir, "link_to_subdir")},
 	})
 	if err != nil {
 		t.Fatal(err)
@@ -105,7 +105,7 @@ func TestConfigEvalSymlinks(t *testing.T) {
 
 func TestConfigRemoveDuplicates(t *testing.T) {
 	config, err := common.NewConfigFrom(map[string]interface{}{
-		"file.paths": []string{"/path/a", "/path/a"},
+		"paths": []string{"/path/a", "/path/a"},
 	})
 	if err != nil {
 		t.Fatal(err)
diff --git a/auditbeat/module/audit/file/event.go b/auditbeat/module/file_integrity/event.go
similarity index 96%
rename from auditbeat/module/audit/file/event.go
rename to auditbeat/module/file_integrity/event.go
index b17bb3b4fc9..548f7ae1d85 100644
--- a/auditbeat/module/audit/file/event.go
+++ b/auditbeat/module/file_integrity/event.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"bytes"
@@ -181,12 +181,10 @@ func (e *Event) String() string {
 	return string(data)
 }
 
-func buildMapStr(e *Event, existedBefore bool) common.MapStr {
+func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event {
 	m := common.MapStr{
-		"@timestamp": e.Timestamp,
-		"path":       e.Path,
-		"hashed":     len(e.Hashes) > 0,
-		mb.RTTKey:    e.rtt,
+		"path":   e.Path,
+		"hashed": len(e.Hashes) > 0,
 	}
 
 	if e.Action > 0 {
@@ -233,7 +231,12 @@ func buildMapStr(e *Event, existedBefore bool) common.MapStr {
 		m[string(hashType)] = hex.EncodeToString(hash)
 	}
 
-	return m
+	out := mb.Event{
+		Timestamp:       e.Timestamp,
+		Took:            e.rtt,
+		MetricSetFields: m,
+	}
+	return out
 }
 
 // diffEvents returns true if the file info differs between the old event and
diff --git a/auditbeat/module/audit/file/event_test.go b/auditbeat/module/file_integrity/event_test.go
similarity index 99%
rename from auditbeat/module/audit/file/event_test.go
rename to auditbeat/module/file_integrity/event_test.go
index 0c01019faf1..7a1c293d7e5 100644
--- a/auditbeat/module/audit/file/event_test.go
+++ b/auditbeat/module/file_integrity/event_test.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"encoding/hex"
diff --git a/auditbeat/module/audit/file/eventreader_fsevents.go b/auditbeat/module/file_integrity/eventreader_fsevents.go
similarity index 99%
rename from auditbeat/module/audit/file/eventreader_fsevents.go
rename to auditbeat/module/file_integrity/eventreader_fsevents.go
index 59a01d6d53d..e106331317e 100644
--- a/auditbeat/module/audit/file/eventreader_fsevents.go
+++ b/auditbeat/module/file_integrity/eventreader_fsevents.go
@@ -1,6 +1,6 @@
 // +build darwin
 
-package file
+package file_integrity
 
 import (
 	"flag"
diff --git a/auditbeat/module/audit/file/eventreader_fsnotify.go b/auditbeat/module/file_integrity/eventreader_fsnotify.go
similarity index 95%
rename from auditbeat/module/audit/file/eventreader_fsnotify.go
rename to auditbeat/module/file_integrity/eventreader_fsnotify.go
index b2065c7cb22..5d5d017bd17 100644
--- a/auditbeat/module/audit/file/eventreader_fsnotify.go
+++ b/auditbeat/module/file_integrity/eventreader_fsnotify.go
@@ -1,6 +1,6 @@
 // +build linux freebsd openbsd netbsd windows
 
-package file
+package file_integrity
 
 import (
 	"syscall"
@@ -9,7 +9,7 @@ import (
 	"github.com/fsnotify/fsnotify"
 	"github.com/pkg/errors"
 
-	"github.com/elastic/beats/auditbeat/module/audit/file/monitor"
+	"github.com/elastic/beats/auditbeat/module/file_integrity/monitor"
 	"github.com/elastic/beats/libbeat/logp"
 )
 
diff --git a/auditbeat/module/audit/file/eventreader_test.go b/auditbeat/module/file_integrity/eventreader_test.go
similarity index 98%
rename from auditbeat/module/audit/file/eventreader_test.go
rename to auditbeat/module/file_integrity/eventreader_test.go
index afd0de70b09..2d4209d5395 100644
--- a/auditbeat/module/audit/file/eventreader_test.go
+++ b/auditbeat/module/file_integrity/eventreader_test.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"io/ioutil"
@@ -226,7 +226,7 @@ func readTimeout(t testing.TB, events <-chan Event) Event {
 		if !ok {
 			t.Fatal("failed reading from event channel")
 		}
-		t.Logf("%+v", buildMapStr(&e, false).StringToPrint())
+		t.Logf("%+v", buildMetricbeatEvent(&e, false))
 		return e
 	}
 
@@ -248,7 +248,7 @@ func readMax(t testing.TB, max int, events <-chan Event) []Event {
 			if !ok {
 				t.Fatal("failed reading from event channel")
 			}
-			t.Logf("%+v", buildMapStr(&e, false).StringToPrint())
+			t.Logf("%+v", buildMetricbeatEvent(&e, false))
 			received = append(received, e)
 			if len(received) >= max {
 				return received
diff --git a/auditbeat/module/audit/file/eventreader_unsupported.go b/auditbeat/module/file_integrity/eventreader_unsupported.go
similarity index 90%
rename from auditbeat/module/audit/file/eventreader_unsupported.go
rename to auditbeat/module/file_integrity/eventreader_unsupported.go
index 32543665f1e..09955080ec1 100644
--- a/auditbeat/module/audit/file/eventreader_unsupported.go
+++ b/auditbeat/module/file_integrity/eventreader_unsupported.go
@@ -1,6 +1,6 @@
 // +build !linux,!freebsd,!openbsd,!netbsd,!windows,!darwin
 
-package file
+package file_integrity
 
 import "github.com/pkg/errors"
 
diff --git a/auditbeat/module/audit/file/fileinfo_bsd.go b/auditbeat/module/file_integrity/fileinfo_bsd.go
similarity index 92%
rename from auditbeat/module/audit/file/fileinfo_bsd.go
rename to auditbeat/module/file_integrity/fileinfo_bsd.go
index fe84fe8836b..e67e0ce9bbd 100644
--- a/auditbeat/module/audit/file/fileinfo_bsd.go
+++ b/auditbeat/module/file_integrity/fileinfo_bsd.go
@@ -1,6 +1,6 @@
 // +build freebsd openbsd netbsd darwin
 
-package file
+package file_integrity
 
 import (
 	"syscall"
diff --git a/auditbeat/module/audit/file/fileinfo_linux.go b/auditbeat/module/file_integrity/fileinfo_linux.go
similarity index 91%
rename from auditbeat/module/audit/file/fileinfo_linux.go
rename to auditbeat/module/file_integrity/fileinfo_linux.go
index 418e5cbdf6a..acc9e82c458 100644
--- a/auditbeat/module/audit/file/fileinfo_linux.go
+++ b/auditbeat/module/file_integrity/fileinfo_linux.go
@@ -1,6 +1,6 @@
 // +build linux
 
-package file
+package file_integrity
 
 import (
 	"syscall"
diff --git a/auditbeat/module/audit/file/fileinfo_posix.go b/auditbeat/module/file_integrity/fileinfo_posix.go
similarity index 98%
rename from auditbeat/module/audit/file/fileinfo_posix.go
rename to auditbeat/module/file_integrity/fileinfo_posix.go
index 5de161132bb..c16214aeecf 100644
--- a/auditbeat/module/audit/file/fileinfo_posix.go
+++ b/auditbeat/module/file_integrity/fileinfo_posix.go
@@ -1,6 +1,6 @@
 // +build linux freebsd openbsd netbsd darwin
 
-package file
+package file_integrity
 
 import (
 	"os"
diff --git a/auditbeat/module/audit/file/fileinfo_test.go b/auditbeat/module/file_integrity/fileinfo_test.go
similarity index 98%
rename from auditbeat/module/audit/file/fileinfo_test.go
rename to auditbeat/module/file_integrity/fileinfo_test.go
index 078ea2c52f3..fe7825ef594 100644
--- a/auditbeat/module/audit/file/fileinfo_test.go
+++ b/auditbeat/module/file_integrity/fileinfo_test.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"io/ioutil"
diff --git a/auditbeat/module/audit/file/fileinfo_windows.go b/auditbeat/module/file_integrity/fileinfo_windows.go
similarity index 99%
rename from auditbeat/module/audit/file/fileinfo_windows.go
rename to auditbeat/module/file_integrity/fileinfo_windows.go
index bd68a040446..4e0d5983da3 100644
--- a/auditbeat/module/audit/file/fileinfo_windows.go
+++ b/auditbeat/module/file_integrity/fileinfo_windows.go
@@ -1,6 +1,6 @@
 // +build windows
 
-package file
+package file_integrity
 
 import (
 	"fmt"
diff --git a/auditbeat/module/audit/file/flatbuffers.go b/auditbeat/module/file_integrity/flatbuffers.go
similarity index 98%
rename from auditbeat/module/audit/file/flatbuffers.go
rename to auditbeat/module/file_integrity/flatbuffers.go
index c990a373f95..045da4f8006 100644
--- a/auditbeat/module/audit/file/flatbuffers.go
+++ b/auditbeat/module/file_integrity/flatbuffers.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"os"
@@ -8,7 +8,7 @@ import (
 	"github.com/google/flatbuffers/go"
 	"github.com/pkg/errors"
 
-	"github.com/elastic/beats/auditbeat/module/audit/file/schema"
+	"github.com/elastic/beats/auditbeat/module/file_integrity/schema"
 )
 
 // Requires the Google flatbuffer compiler.
diff --git a/auditbeat/module/audit/file/flatbuffers_test.go b/auditbeat/module/file_integrity/flatbuffers_test.go
similarity index 98%
rename from auditbeat/module/audit/file/flatbuffers_test.go
rename to auditbeat/module/file_integrity/flatbuffers_test.go
index b173c9c4a91..a24f0667000 100644
--- a/auditbeat/module/audit/file/flatbuffers_test.go
+++ b/auditbeat/module/file_integrity/flatbuffers_test.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"encoding/json"
diff --git a/auditbeat/module/audit/file/metricset.go b/auditbeat/module/file_integrity/metricset.go
similarity index 82%
rename from auditbeat/module/audit/file/metricset.go
rename to auditbeat/module/file_integrity/metricset.go
index 72b9a0e5728..285a39ccc97 100644
--- a/auditbeat/module/audit/file/metricset.go
+++ b/auditbeat/module/file_integrity/metricset.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"bytes"
@@ -16,19 +16,25 @@ import (
 )
 
 const (
-	metricsetName = "audit.file"
-	logPrefix     = "[" + metricsetName + "]"
-	bucketName    = metricsetName + ".v1"
+	moduleName    = "file_integrity"
+	metricsetName = "file"
+	logPrefix     = "[" + moduleName + "]"
+	bucketName    = "file.v1"
+
+	// Use old namespace for data until we do some field renaming for GA.
+	namespace = "audit.file"
 )
 
 var (
-	debugf = logp.MakeDebug(metricsetName)
+	debugf = logp.MakeDebug(moduleName)
 )
 
 func init() {
-	if err := mb.Registry.AddMetricSet("audit", "file", New, parse.EmptyHostParser); err != nil {
-		panic(err)
-	}
+	mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
+		mb.DefaultMetricSet(),
+		mb.WithHostParser(parse.EmptyHostParser),
+		mb.WithNamespace(namespace),
+	)
 }
 
 // EventProducer produces events.
@@ -58,7 +64,7 @@ type MetricSet struct {
 
 // New returns a new file.MetricSet.
 func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
-	cfgwarn.Experimental("The %v metricset is an experimental feature", metricsetName)
+	cfgwarn.Beta("The %v module is an beta feature", moduleName)
 
 	config := defaultConfig
 	if err := base.Module().UnpackConfig(&config); err != nil {
@@ -67,7 +73,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
 
 	r, err := NewEventReader(config)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to initialize audit file event reader")
+		return nil, errors.Wrap(err, "failed to initialize file event reader")
 	}
 
 	ms := &MetricSet{
@@ -79,18 +85,18 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
 	if config.ScanAtStart {
 		ms.scanner, err = NewFileSystemScanner(config)
 		if err != nil {
-			return nil, errors.Wrap(err, "failed to initialize audit file scanner")
+			return nil, errors.Wrap(err, "failed to initialize file scanner")
 		}
 	}
 
-	debugf("Initialized the audit file event reader. Running as euid=%v", os.Geteuid())
+	debugf("Initialized the file event reader. Running as euid=%v", os.Geteuid())
 
 	return ms, nil
 }
 
 // Run runs the MetricSet. The method will not return control to the caller
 // until it is finished (to stop it close the reporter.Done() channel).
-func (ms *MetricSet) Run(reporter mb.PushReporter) {
+func (ms *MetricSet) Run(reporter mb.PushReporterV2) {
 	if !ms.init(reporter) {
 		return
 	}
@@ -128,7 +134,7 @@ func (ms *MetricSet) Close() error {
 	return nil
 }
 
-func (ms *MetricSet) init(reporter mb.PushReporter) bool {
+func (ms *MetricSet) init(reporter mb.PushReporterV2) bool {
 	bucket, err := datastore.OpenBucket(bucketName)
 	if err != nil {
 		err = errors.Wrap(err, "failed to open persistent datastore")
@@ -160,16 +166,16 @@ func (ms *MetricSet) init(reporter mb.PushReporter) bool {
 	return true
 }
 
-func (ms *MetricSet) reportEvent(reporter mb.PushReporter, event *Event) bool {
-	if len(event.errors) > 0 && logp.IsDebug(metricsetName) {
-		debugf("Errors on %v event for %v: %v",
-			event.Action, event.Path, event.errors)
+func (ms *MetricSet) reportEvent(reporter mb.PushReporterV2, event *Event) bool {
+	if len(event.errors) > 0 && logp.IsDebug(moduleName) {
+		debugf("Errors on event for %v with action=%v: %v",
+			event.Path, event.Action, event.errors)
 	}
 
 	changed, lastEvent := ms.hasFileChangedSinceLastEvent(event)
 	if changed {
 		// Publish event if it changed.
-		if ok := reporter.Event(buildMapStr(event, lastEvent != nil)); !ok {
+		if ok := reporter.Event(buildMetricbeatEvent(event, lastEvent != nil)); !ok {
 			return false
 		}
 	}
@@ -200,14 +206,14 @@ func (ms *MetricSet) hasFileChangedSinceLastEvent(event *Event) (changed bool, l
 		event.Action = action
 	}
 
-	if changed && logp.IsDebug(metricsetName) {
+	if changed && logp.IsDebug(moduleName) {
 		debugf("file at %v has changed since last seen: old=%v, new=%v",
 			event.Path, lastEvent, event)
 	}
 	return changed, lastEvent
 }
 
-func (ms *MetricSet) purgeDeleted(reporter mb.PushReporter) {
+func (ms *MetricSet) purgeDeleted(reporter mb.PushReporterV2) {
 	for _, prefix := range ms.config.Paths {
 		deleted, err := purgeOlder(ms.bucket, ms.scanStart, prefix)
 		if err != nil {
@@ -217,7 +223,7 @@ func (ms *MetricSet) purgeDeleted(reporter mb.PushReporter) {
 
 		for _, e := range deleted {
 			// Don't persist!
-			if !reporter.Event(buildMapStr(e, true)) {
+			if !reporter.Event(buildMetricbeatEvent(e, true)) {
 				return
 			}
 		}
diff --git a/auditbeat/module/audit/file/metricset_test.go b/auditbeat/module/file_integrity/metricset_test.go
similarity index 58%
rename from auditbeat/module/audit/file/metricset_test.go
rename to auditbeat/module/file_integrity/metricset_test.go
index c0270f5b346..75b7c6f59d3 100644
--- a/auditbeat/module/audit/file/metricset_test.go
+++ b/auditbeat/module/file_integrity/metricset_test.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"io/ioutil"
@@ -9,6 +9,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
+	"github.com/elastic/beats/auditbeat/core"
 	"github.com/elastic/beats/auditbeat/datastore"
 	"github.com/elastic/beats/libbeat/paths"
 	mbtest "github.com/elastic/beats/metricbeat/mb/testing"
@@ -29,27 +30,18 @@ func TestData(t *testing.T) {
 		ioutil.WriteFile(file, []byte("hello world"), 0600)
 	}()
 
-	ms := mbtest.NewPushMetricSet(t, getConfig(dir))
-	events, errs := mbtest.RunPushMetricSet(time.Second, ms)
-	if len(errs) > 0 {
-		t.Fatalf("received errors: %+v", errs)
-	}
-	if len(events) == 0 {
-		t.Fatal("received no events")
+	ms := mbtest.NewPushMetricSetV2(t, getConfig(dir))
+	events := mbtest.RunPushMetricSetV2(time.Second, ms)
+	for _, e := range events {
+		if e.Error != nil {
+			t.Fatalf("received error: %+v", e.Error)
+		}
 	}
 
-	fullEvent := mbtest.CreateFullEvent(ms, events[len(events)-1])
+	fullEvent := mbtest.StandardizeEvent(ms, events[len(events)-1], core.AddDatasetToEvent)
 	mbtest.WriteEventToDataJSON(t, fullEvent)
 }
 
-func getConfig(path string) map[string]interface{} {
-	return map[string]interface{}{
-		"module":     "audit",
-		"metricsets": []string{"file"},
-		"file.paths": []string{path},
-	}
-}
-
 func TestDetectDeletedFiles(t *testing.T) {
 	defer setup(t)()
 
@@ -79,21 +71,38 @@ func TestDetectDeletedFiles(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	ms := mbtest.NewPushMetricSet(t, getConfig(dir))
-	events, errs := mbtest.RunPushMetricSet(time.Second, ms)
-	if len(errs) > 0 {
-		t.Fatalf("received errors: %+v", errs)
+	ms := mbtest.NewPushMetricSetV2(t, getConfig(dir))
+	events := mbtest.RunPushMetricSetV2(time.Second, ms)
+	for _, e := range events {
+		if e.Error != nil {
+			t.Fatalf("received error: %+v", e.Error)
+		}
 	}
 
 	if !assert.Len(t, events, 2) {
 		return
 	}
-	event := events[0]
-	assert.Equal(t, dir, event["path"])
-	assert.Equal(t, []string{"created"}, event["action"])
-	event = events[1]
-	assert.Equal(t, e.Path, event["path"])
-	assert.Equal(t, []string{"deleted"}, event["action"])
+	event := events[0].MetricSetFields
+	path, err := event.GetValue("path")
+	if assert.NoError(t, err) {
+		assert.Equal(t, dir, path)
+	}
+
+	action, err := event.GetValue("action")
+	if assert.NoError(t, err) {
+		assert.Equal(t, []string{"created"}, action)
+	}
+
+	event = events[1].MetricSetFields
+	path, err = event.GetValue("path")
+	if assert.NoError(t, err) {
+		assert.Equal(t, e.Path, path)
+	}
+
+	action, err = event.GetValue("action")
+	if assert.NoError(t, err) {
+		assert.Equal(t, []string{"deleted"}, action)
+	}
 }
 
 func setup(t testing.TB) func() {
@@ -105,3 +114,10 @@ func setup(t testing.TB) func() {
 	}
 	return func() { os.RemoveAll(paths.Paths.Data) }
 }
+
+func getConfig(path string) map[string]interface{} {
+	return map[string]interface{}{
+		"module": "file_integrity",
+		"paths":  []string{path},
+	}
+}
diff --git a/auditbeat/module/file_integrity/module.yml b/auditbeat/module/file_integrity/module.yml
new file mode 100644
index 00000000000..bc9bb6fb543
--- /dev/null
+++ b/auditbeat/module/file_integrity/module.yml
@@ -0,0 +1,3 @@
+dashboards:
+- id:   AV0tXkjYg1PYniApZbKP
+  file: auditbeat-file-integrity.json
diff --git a/auditbeat/module/audit/file/monitor/filetree.go b/auditbeat/module/file_integrity/monitor/filetree.go
similarity index 100%
rename from auditbeat/module/audit/file/monitor/filetree.go
rename to auditbeat/module/file_integrity/monitor/filetree.go
diff --git a/auditbeat/module/audit/file/monitor/filetree_test.go b/auditbeat/module/file_integrity/monitor/filetree_test.go
similarity index 100%
rename from auditbeat/module/audit/file/monitor/filetree_test.go
rename to auditbeat/module/file_integrity/monitor/filetree_test.go
diff --git a/auditbeat/module/audit/file/monitor/monitor.go b/auditbeat/module/file_integrity/monitor/monitor.go
similarity index 100%
rename from auditbeat/module/audit/file/monitor/monitor.go
rename to auditbeat/module/file_integrity/monitor/monitor.go
diff --git a/auditbeat/module/audit/file/monitor/monitor_test.go b/auditbeat/module/file_integrity/monitor/monitor_test.go
similarity index 100%
rename from auditbeat/module/audit/file/monitor/monitor_test.go
rename to auditbeat/module/file_integrity/monitor/monitor_test.go
diff --git a/auditbeat/module/audit/file/monitor/nonrecursive.go b/auditbeat/module/file_integrity/monitor/nonrecursive.go
similarity index 100%
rename from auditbeat/module/audit/file/monitor/nonrecursive.go
rename to auditbeat/module/file_integrity/monitor/nonrecursive.go
diff --git a/auditbeat/module/audit/file/monitor/recursive.go b/auditbeat/module/file_integrity/monitor/recursive.go
similarity index 100%
rename from auditbeat/module/audit/file/monitor/recursive.go
rename to auditbeat/module/file_integrity/monitor/recursive.go
diff --git a/auditbeat/module/audit/file/scanner.go b/auditbeat/module/file_integrity/scanner.go
similarity index 99%
rename from auditbeat/module/audit/file/scanner.go
rename to auditbeat/module/file_integrity/scanner.go
index 717586c09b4..ecccc33d4f2 100644
--- a/auditbeat/module/audit/file/scanner.go
+++ b/auditbeat/module/file_integrity/scanner.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"errors"
diff --git a/auditbeat/module/audit/file/scanner_test.go b/auditbeat/module/file_integrity/scanner_test.go
similarity index 99%
rename from auditbeat/module/audit/file/scanner_test.go
rename to auditbeat/module/file_integrity/scanner_test.go
index befc617f683..6bf6d9d71c4 100644
--- a/auditbeat/module/audit/file/scanner_test.go
+++ b/auditbeat/module/file_integrity/scanner_test.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"io/ioutil"
diff --git a/auditbeat/module/audit/file/schema.fbs b/auditbeat/module/file_integrity/schema.fbs
similarity index 100%
rename from auditbeat/module/audit/file/schema.fbs
rename to auditbeat/module/file_integrity/schema.fbs
diff --git a/auditbeat/module/audit/file/schema/Action.go b/auditbeat/module/file_integrity/schema/Action.go
similarity index 100%
rename from auditbeat/module/audit/file/schema/Action.go
rename to auditbeat/module/file_integrity/schema/Action.go
diff --git a/auditbeat/module/audit/file/schema/Event.go b/auditbeat/module/file_integrity/schema/Event.go
similarity index 100%
rename from auditbeat/module/audit/file/schema/Event.go
rename to auditbeat/module/file_integrity/schema/Event.go
diff --git a/auditbeat/module/audit/file/schema/Hash.go b/auditbeat/module/file_integrity/schema/Hash.go
similarity index 100%
rename from auditbeat/module/audit/file/schema/Hash.go
rename to auditbeat/module/file_integrity/schema/Hash.go
diff --git a/auditbeat/module/audit/file/schema/Metadata.go b/auditbeat/module/file_integrity/schema/Metadata.go
similarity index 100%
rename from auditbeat/module/audit/file/schema/Metadata.go
rename to auditbeat/module/file_integrity/schema/Metadata.go
diff --git a/auditbeat/module/audit/file/schema/Source.go b/auditbeat/module/file_integrity/schema/Source.go
similarity index 100%
rename from auditbeat/module/audit/file/schema/Source.go
rename to auditbeat/module/file_integrity/schema/Source.go
diff --git a/auditbeat/module/audit/file/schema/Type.go b/auditbeat/module/file_integrity/schema/Type.go
similarity index 100%
rename from auditbeat/module/audit/file/schema/Type.go
rename to auditbeat/module/file_integrity/schema/Type.go
diff --git a/auditbeat/module/audit/file/security_windows.go b/auditbeat/module/file_integrity/security_windows.go
similarity index 98%
rename from auditbeat/module/audit/file/security_windows.go
rename to auditbeat/module/file_integrity/security_windows.go
index 29125c4f7e5..bc995bbebf0 100644
--- a/auditbeat/module/audit/file/security_windows.go
+++ b/auditbeat/module/file_integrity/security_windows.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 type SecurityDescriptor struct{}
 
diff --git a/auditbeat/module/audit/file/security_windows_test.go b/auditbeat/module/file_integrity/security_windows_test.go
similarity index 97%
rename from auditbeat/module/audit/file/security_windows_test.go
rename to auditbeat/module/file_integrity/security_windows_test.go
index d8c10ead477..82896494880 100644
--- a/auditbeat/module/audit/file/security_windows_test.go
+++ b/auditbeat/module/file_integrity/security_windows_test.go
@@ -1,4 +1,4 @@
-package file
+package file_integrity
 
 import (
 	"io/ioutil"
diff --git a/auditbeat/module/audit/file/zsecurity_windows.go b/auditbeat/module/file_integrity/zsecurity_windows.go
similarity index 97%
rename from auditbeat/module/audit/file/zsecurity_windows.go
rename to auditbeat/module/file_integrity/zsecurity_windows.go
index 162378b424b..3bb509c2a2f 100644
--- a/auditbeat/module/audit/file/zsecurity_windows.go
+++ b/auditbeat/module/file_integrity/zsecurity_windows.go
@@ -1,6 +1,6 @@
 // MACHINE GENERATED BY 'go generate' COMMAND; DO NOT EDIT
 
-package file
+package file_integrity
 
 import (
 	"syscall"
diff --git a/auditbeat/scripts/docs_collector.py b/auditbeat/scripts/docs_collector.py
index 8d7897e16b9..d843f1932a5 100644
--- a/auditbeat/scripts/docs_collector.py
+++ b/auditbeat/scripts/docs_collector.py
@@ -72,11 +72,6 @@ def collect(beat_name):
 
             module_file += "----\n\n"
 
-        # Add metricsets title as below each metricset adds its link
-        module_file += "[float]\n"
-        module_file += "=== Metricsets\n\n"
-        module_file += "The following metricsets are available:\n\n"
-
         module_links = ""
         module_includes = ""
 
@@ -129,8 +124,13 @@ def collect(beat_name):
             with open(os.path.abspath("docs") + "/modules/" + module + "/" + metricset + ".asciidoc", 'w') as f:
                 f.write(metricset_file)
 
-        module_file += module_links
-        module_file += module_includes
+        if len(module_links) > 0:
+            module_file += "[float]\n"
+            module_file += "=== Metricsets\n\n"
+            module_file += "The following metricsets are available:\n\n"
+
+            module_file += module_links
+            module_file += module_includes
 
         # Write module docs
         with open(os.path.abspath("docs") + "/modules/" + module + ".asciidoc", 'w') as f:
diff --git a/metricbeat/mb/testing/data_generator.go b/metricbeat/mb/testing/data_generator.go
index e4dc70c3a2d..2db38e655d0 100644
--- a/metricbeat/mb/testing/data_generator.go
+++ b/metricbeat/mb/testing/data_generator.go
@@ -61,18 +61,28 @@ func WriteEvents(f mb.EventsFetcher, t testing.TB) error {
 // This simulates the output of Metricbeat as if it were
 // 2016-05-23T08:05:34.853Z and the hostname is host.example.com.
 func CreateFullEvent(ms mb.MetricSet, metricSetData common.MapStr) beat.Event {
+	return StandardizeEvent(
+		ms,
+		mb.TransformMapStrToEvent(ms.Module().Name(), metricSetData, nil),
+		mb.AddMetricSetInfo,
+	)
+}
+
+// StandardizeEvent builds a beat.Event given the data generated by a MetricSet.
+// This simulates the output as if it were 2016-05-23T08:05:34.853Z and the
+// hostname is host.example.com and the RTT is 155us.
+func StandardizeEvent(ms mb.MetricSet, e mb.Event, modifiers ...mb.EventModifier) beat.Event {
 	startTime, err := time.Parse(time.RFC3339Nano, "2017-10-12T08:05:34.853Z")
 	if err != nil {
 		panic(err)
 	}
 
-	mbEvent := mb.TransformMapStrToEvent(ms.Module().Name(), metricSetData, nil)
-	mbEvent.Namespace = ms.Registration().Namespace
-	mbEvent.Timestamp = startTime
-	mbEvent.Took = 115 * time.Microsecond
-	mbEvent.Host = ms.Host()
+	e.Timestamp = startTime
+	e.Namespace = ms.Registration().Namespace
+	e.Took = 115 * time.Microsecond
+	e.Host = ms.Host()
 
-	fullEvent := mbEvent.BeatEvent(ms.Module().Name(), ms.Name(), mb.AddMetricSetInfo)
+	fullEvent := e.BeatEvent(ms.Module().Name(), ms.Name(), modifiers...)
 
 	fullEvent.Fields["beat"] = common.MapStr{
 		"name":     "host.example.com",