diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index 85936aa3dec..eb5550bec47 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -878,6 +878,30 @@ Fields from the Linux audit logs. Not all fields are documented here because the
 The audit event type.
 
 
+[float]
+=== system.audit.old_auid
+
+For login events this is the old audit ID used for the user prior to this login.
+
+
+[float]
+=== system.audit.new_auid
+
+For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
+
+
+[float]
+=== system.audit.old_ses
+
+For login events this is the old session ID used for the user prior to this login.
+
+
+[float]
+=== system.audit.new_ses
+
+For login events this is the new session ID. It can be used to tie a user to future events by session ID.
+
+
 [float]
 === system.audit.sequence
 
diff --git a/filebeat/module/system/audit/_meta/fields.yml b/filebeat/module/system/audit/_meta/fields.yml
index 7294a6aa212..05b16091eed 100644
--- a/filebeat/module/system/audit/_meta/fields.yml
+++ b/filebeat/module/system/audit/_meta/fields.yml
@@ -7,6 +7,23 @@
     - name: record_type
       description: >
         The audit event type.
+    - name: old_auid
+      description: >
+        For login events this is the old audit ID used for the user prior to
+        this login.
+    - name: new_auid
+      description: >
+        For login events this is the new audit ID. The audit ID can be used to
+        trace future events to the user even if their identity changes (like
+        becoming root).
+    - name: old_ses
+      description: >
+        For login events this is the old session ID used for the user prior to
+        this login.
+    - name: new_ses
+      description: >
+        For login events this is the new session ID. It can be used to tie a
+        user to future events by session ID.
     - name: sequence
       type: long
       description: >