From 7cd7d52a3f848cec53ed854b51daab1ec4e84061 Mon Sep 17 00:00:00 2001
From: Andrew Kroh <andrew.kroh@elastic.co>
Date: Fri, 31 Mar 2017 14:45:53 -0400
Subject: [PATCH] Document old_auid, new_auid, old_ses, new_ses

---
 filebeat/docs/fields.asciidoc                 | 24 +++++++++++++++++++
 filebeat/module/system/audit/_meta/fields.yml | 17 +++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index 85936aa3dec..eb5550bec47 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -878,6 +878,30 @@ Fields from the Linux audit logs. Not all fields are documented here because the
 The audit event type.
 
 
+[float]
+=== system.audit.old_auid
+
+For login events this is the old audit ID used for the user prior to this login.
+
+
+[float]
+=== system.audit.new_auid
+
+For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
+
+
+[float]
+=== system.audit.old_ses
+
+For login events this is the old session ID used for the user prior to this login.
+
+
+[float]
+=== system.audit.new_ses
+
+For login events this is the new session ID. It can be used to tie a user to future events by session ID.
+
+
 [float]
 === system.audit.sequence
 
diff --git a/filebeat/module/system/audit/_meta/fields.yml b/filebeat/module/system/audit/_meta/fields.yml
index 7294a6aa212..05b16091eed 100644
--- a/filebeat/module/system/audit/_meta/fields.yml
+++ b/filebeat/module/system/audit/_meta/fields.yml
@@ -7,6 +7,23 @@
     - name: record_type
       description: >
         The audit event type.
+    - name: old_auid
+      description: >
+        For login events this is the old audit ID used for the user prior to
+        this login.
+    - name: new_auid
+      description: >
+        For login events this is the new audit ID. The audit ID can be used to
+        trace future events to the user even if their identity changes (like
+        becoming root).
+    - name: old_ses
+      description: >
+        For login events this is the old session ID used for the user prior to
+        this login.
+    - name: new_ses
+      description: >
+        For login events this is the new session ID. It can be used to tie a
+        user to future events by session ID.
     - name: sequence
       type: long
       description: >