diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 1ceabcb9c57e..f3296843b7cd 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -38,6 +38,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - With the default configuration the cloud modules (aws, azure, googlecloud, o365, okta)
 - With the default configuration the cef and panw modules will no longer send the `host`
 - Add `while_pattern` type to multiline reader. {pull}19662[19662]
+- auditd dataset: Use process.args to store program arguments instead of auditd.log.aNNN fields. {pull}29601[29601]
 
 *Heartbeat*
 - Only add monitor.status to browser events when summary. {pull}29460[29460]
diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml
index b5c6d56412a2..b169fb4dd581 100644
--- a/filebeat/module/auditd/log/ingest/pipeline.yml
+++ b/filebeat/module/auditd/log/ingest/pipeline.yml
@@ -2102,6 +2102,29 @@ processors:
     ignore_failure: true
     field: auditd.log.msg
     target_field: message
+- script:
+    lang: painless
+    description: Extracts process information from execve calls
+    if: 'ctx.process?.args_count != null && ctx.auditd?.log != null'
+    source: >-
+      long argc = ctx.process.args_count;
+      List args = new ArrayList();
+      def[] fmt = new def[] {0};
+      for (long i=0; i<argc; i++) {
+        fmt[0] = i;
+        String fld = String.format("a%d", fmt);
+        def arg = ctx.auditd.log.remove(fld);
+        if (arg == null) break;
+        args.add(arg);
+      }
+      if (args.size() == 0) return;
+      ctx.process.put("args", args);
+      ctx.process.put("executable", args[0]);
+    on_failure:
+      - append:
+          field: error.message
+          value: "failed extracting process arguments: {{ _ingest.on_failure_message }}"
+
 - rename:
     ignore_failure: true
     field: auditd.log.res
@@ -2160,6 +2183,6 @@ processors:
     ignore_failure: true
     ignore_missing: true
 on_failure:
-- set:
+- append:
     field: error.message
     value: "{{ _ingest.on_failure_message }}"
diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json
index b435807ebaac..854ebd16841e 100644
--- a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json
+++ b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json
@@ -1,6 +1,5 @@
 [
     {
-        "@timestamp": "2020-07-06T16:38:34.588Z",
         "auditd.log.format": "raw",
         "auditd.log.kernel": "3.10.0-1062.9.1.el7.x86_64",
         "auditd.log.node": "localhost.localdomain",
@@ -33,7 +32,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2020-07-06T16:38:34.707Z",
         "auditd.log.audit_backlog_limit": "8192",
         "auditd.log.node": "localhost.localdomain",
         "auditd.log.old": "64",
@@ -63,7 +61,6 @@
         "user.audit.id": "4294967295"
     },
     {
-        "@timestamp": "2020-07-06T16:38:34.707Z",
         "auditd.log.audit_failure": "1",
         "auditd.log.node": "localhost.localdomain",
         "auditd.log.old": "1",
@@ -93,7 +90,6 @@
         "user.audit.id": "4294967295"
     },
     {
-        "@timestamp": "2020-07-06T16:38:34.709Z",
         "auditd.log.node": "localhost.localdomain",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 6,
@@ -125,7 +121,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2020-07-06T16:38:34.725Z",
         "auditd.log.node": "localhost.localdomain",
         "auditd.log.record_type": "SYSTEM_BOOT",
         "auditd.log.sequence": 7,
@@ -152,7 +147,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2020-07-06T16:38:34.739Z",
         "auditd.log.node": "localhost.localdomain",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 8,
@@ -184,7 +178,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2020-07-06T16:38:34.807Z",
         "auditd.log.node": "localhost.localdomain",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 9,
@@ -216,7 +209,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2020-07-06T16:38:34.843Z",
         "auditd.log.node": "localhost.localdomain",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 10,
@@ -248,7 +240,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2020-07-06T16:38:34.850Z",
         "auditd.log.node": "localhost.localdomain",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 11,
@@ -280,7 +271,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2020-07-06T16:38:34.857Z",
         "auditd.log.node": "localhost.localdomain",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 12,
diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json
index f7eb39a6d14d..889da77f9e01 100644
--- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json
+++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json
@@ -1,6 +1,5 @@
 [
     {
-        "@timestamp": "2017-03-14T19:20:30.178Z",
         "auditd.log.op": "PAM:session_close",
         "auditd.log.record_type": "USER_END",
         "auditd.log.sequence": 19600327,
@@ -32,7 +31,6 @@
         "user.name": "root"
     },
     {
-        "@timestamp": "2017-03-14T19:20:30.178Z",
         "auditd.log.op": "PAM:setcred",
         "auditd.log.record_type": "CRED_DISP",
         "auditd.log.sequence": 19600328,
@@ -64,7 +62,6 @@
         "user.name": "root"
     },
     {
-        "@timestamp": "2017-03-14T19:20:56.192Z",
         "auditd.log.record_type": "USER_CMD",
         "auditd.log.sequence": 19600329,
         "auditd.log.ses": "11988",
@@ -86,8 +83,8 @@
         "input.type": "log",
         "log.offset": 373,
         "process.args": [
-            "-p",
             "/usr/lib64/nagios/plugins/check_asterisk_sip_peers",
+            "-p",
             "202"
         ],
         "process.args_count": 3,
@@ -98,7 +95,6 @@
         "user.id": "497"
     },
     {
-        "@timestamp": "2017-03-14T19:20:56.193Z",
         "auditd.log.op": "PAM:setcred",
         "auditd.log.record_type": "CRED_ACQ",
         "auditd.log.sequence": 19600330,
@@ -130,7 +126,6 @@
         "user.name": "root"
     },
     {
-        "@timestamp": "2017-03-14T19:20:56.193Z",
         "auditd.log.op": "PAM:session_open",
         "auditd.log.record_type": "USER_START",
         "auditd.log.sequence": 19600331,
@@ -162,7 +157,6 @@
         "user.name": "root"
     },
     {
-        "@timestamp": "2017-03-14T19:23:02.529Z",
         "auditd.log.dst_prefixlen": 22,
         "auditd.log.op": "SPD-add",
         "auditd.log.sequence": 19600354,
@@ -184,7 +178,6 @@
         "user.audit.id": "4294967295"
     },
     {
-        "@timestamp": "2017-03-14T19:23:02.529Z",
         "auditd.log.a0": "9",
         "auditd.log.a1": "7f564ee6d2a0",
         "auditd.log.a2": "b8",
@@ -228,7 +221,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2017-03-16T04:02:40.072Z",
         "auditd.log.new_auid": "700",
         "auditd.log.new_ses": "12286",
         "auditd.log.old_auid": "700",
@@ -258,7 +250,6 @@
         "user.id": "700"
     },
     {
-        "@timestamp": "2017-03-16T04:02:40.070Z",
         "auditd.log.direction": "both",
         "auditd.log.kind": "session",
         "auditd.log.laddr": "107.170.139.210",
@@ -305,7 +296,6 @@
         "user.saved.id": "74"
     },
     {
-        "@timestamp": "2017-03-16T04:02:40.072Z",
         "auditd.log.op": "success",
         "auditd.log.record_type": "USER_AUTH",
         "auditd.log.sequence": 19623789,
@@ -349,7 +339,6 @@
         "user.terminal": "ssh"
     },
     {
-        "@timestamp": "2017-03-16T04:02:57.804Z",
         "auditd.log.op": "PAM:authentication",
         "auditd.log.record_type": "USER_AUTH",
         "auditd.log.sequence": 19623807,
@@ -382,7 +371,6 @@
         "user.terminal": "pts/0"
     },
     {
-        "@timestamp": "2017-03-16T04:02:57.805Z",
         "auditd.log.op": "PAM:accounting",
         "auditd.log.record_type": "USER_ACCT",
         "auditd.log.sequence": 19623808,
diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json
index a18b67e2e221..50ede81ba095 100644
--- a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json
+++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json
@@ -1,6 +1,5 @@
 [
     {
-        "@timestamp": "2016-12-07T02:16:23.819Z",
         "auditd.log.format": "raw",
         "auditd.log.kernel": "3.10.0-327.36.3.el7.x86_64",
         "auditd.log.record_type": "DAEMON_START",
@@ -29,7 +28,6 @@
         "user.audit.id": "4294967295"
     },
     {
-        "@timestamp": "2016-12-07T02:16:23.864Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 6,
         "auditd.log.ses": "4294967295",
@@ -60,7 +58,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:23.876Z",
         "auditd.log.record_type": "SYSTEM_BOOT",
         "auditd.log.sequence": 7,
         "auditd.log.ses": "4294967295",
@@ -86,7 +83,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:23.879Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 8,
         "auditd.log.ses": "4294967295",
@@ -117,7 +113,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.075Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 9,
         "auditd.log.ses": "4294967295",
@@ -148,7 +143,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.088Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 10,
         "auditd.log.ses": "4294967295",
@@ -179,7 +173,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.163Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 11,
         "auditd.log.ses": "4294967295",
@@ -210,7 +203,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.212Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 12,
         "auditd.log.ses": "4294967295",
@@ -241,7 +233,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.521Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 13,
         "auditd.log.ses": "4294967295",
@@ -272,7 +263,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.521Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 14,
         "auditd.log.ses": "4294967295",
@@ -303,7 +293,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.526Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 15,
         "auditd.log.ses": "4294967295",
@@ -334,7 +323,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.534Z",
         "auditd.log.record_type": "SERVICE_STOP",
         "auditd.log.sequence": 16,
         "auditd.log.ses": "4294967295",
@@ -365,7 +353,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.827Z",
         "auditd.log.entries": 0,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -390,7 +377,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.827Z",
         "auditd.log.a0": "0",
         "auditd.log.a1": "41a15c",
         "auditd.log.a2": "0",
@@ -434,7 +420,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.858Z",
         "auditd.log.entries": 0,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -459,7 +444,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.858Z",
         "auditd.log.a0": "0",
         "auditd.log.a1": "41a15c",
         "auditd.log.a2": "0",
@@ -503,7 +487,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.870Z",
         "auditd.log.entries": 0,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -528,7 +511,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.870Z",
         "auditd.log.a0": "0",
         "auditd.log.a1": "41a15c",
         "auditd.log.a2": "0",
@@ -572,7 +554,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.877Z",
         "auditd.log.entries": 0,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -597,7 +578,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.877Z",
         "auditd.log.a0": "0",
         "auditd.log.a1": "41a15c",
         "auditd.log.a2": "0",
@@ -641,7 +621,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.931Z",
         "auditd.log.entries": 0,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -666,7 +645,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.931Z",
         "auditd.log.a0": "3",
         "auditd.log.a1": "41a15c",
         "auditd.log.a2": "0",
@@ -710,7 +688,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.939Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 22,
         "auditd.log.ses": "4294967295",
@@ -741,7 +718,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.945Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 23,
         "auditd.log.ses": "4294967295",
@@ -772,7 +748,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.953Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 24,
         "auditd.log.ses": "4294967295",
@@ -803,7 +778,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.954Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 25,
         "auditd.log.ses": "4294967295",
@@ -834,7 +808,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.960Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 26,
         "auditd.log.ses": "4294967295",
@@ -865,7 +838,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.982Z",
         "auditd.log.entries": 0,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -890,7 +862,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:24.982Z",
         "auditd.log.a0": "0",
         "auditd.log.a1": "41a15c",
         "auditd.log.a2": "0",
@@ -934,7 +905,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.012Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 28,
         "auditd.log.ses": "4294967295",
@@ -965,7 +935,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.031Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 29,
         "auditd.log.ses": "4294967295",
@@ -996,7 +965,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.043Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 30,
         "auditd.log.ses": "4294967295",
@@ -1027,7 +995,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.044Z",
         "auditd.log.record_type": "SERVICE_STOP",
         "auditd.log.sequence": 31,
         "auditd.log.ses": "4294967295",
@@ -1058,7 +1025,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.069Z",
         "auditd.log.entries": 0,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -1083,7 +1049,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.069Z",
         "auditd.log.a0": "0",
         "auditd.log.a1": "41a15c",
         "auditd.log.a2": "0",
@@ -1127,7 +1092,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.104Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 33,
         "auditd.log.ses": "4294967295",
@@ -1158,7 +1122,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.099Z",
         "auditd.log.entries": 0,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -1183,7 +1146,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.099Z",
         "auditd.log.a0": "0",
         "auditd.log.a1": "41a15c",
         "auditd.log.a2": "0",
@@ -1227,7 +1189,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.128Z",
         "auditd.log.entries": 0,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -1252,7 +1213,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.128Z",
         "auditd.log.a0": "0",
         "auditd.log.a1": "41a15c",
         "auditd.log.a2": "0",
@@ -1296,7 +1256,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.164Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 36,
         "auditd.log.ses": "4294967295",
@@ -1327,7 +1286,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.166Z",
         "auditd.log.record_type": "SERVICE_STOP",
         "auditd.log.sequence": 37,
         "auditd.log.ses": "4294967295",
@@ -1358,7 +1316,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.167Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 38,
         "auditd.log.ses": "4294967295",
@@ -1389,7 +1346,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.168Z",
         "auditd.log.record_type": "SERVICE_STOP",
         "auditd.log.sequence": 39,
         "auditd.log.ses": "4294967295",
@@ -1420,7 +1376,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.170Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 40,
         "auditd.log.ses": "4294967295",
@@ -1451,7 +1406,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.170Z",
         "auditd.log.record_type": "SERVICE_STOP",
         "auditd.log.sequence": 41,
         "auditd.log.ses": "4294967295",
@@ -1482,7 +1436,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.180Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 42,
         "auditd.log.ses": "4294967295",
@@ -1513,7 +1466,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.187Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 43,
         "auditd.log.ses": "4294967295",
@@ -1544,7 +1496,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.191Z",
         "auditd.log.entries": 0,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -1569,7 +1520,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.191Z",
         "auditd.log.a0": "1",
         "auditd.log.a1": "41a15c",
         "auditd.log.a2": "0",
@@ -1613,7 +1563,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.511Z",
         "auditd.log.record_type": "SERVICE_START",
         "auditd.log.sequence": 45,
         "auditd.log.ses": "4294967295",
@@ -1644,7 +1593,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.528Z",
         "auditd.log.entries": 5,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -1669,7 +1617,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.528Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -1713,7 +1660,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.532Z",
         "auditd.log.entries": 5,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -1738,7 +1684,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.532Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -1782,7 +1727,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.534Z",
         "auditd.log.entries": 6,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -1807,7 +1751,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.534Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -1851,7 +1794,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.537Z",
         "auditd.log.entries": 6,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -1876,7 +1818,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.537Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -1920,7 +1861,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.538Z",
         "auditd.log.entries": 4,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -1945,7 +1885,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.538Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -1989,7 +1928,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.542Z",
         "auditd.log.entries": 4,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2014,7 +1952,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.542Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -2058,7 +1995,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.543Z",
         "auditd.log.entries": 3,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2083,7 +2019,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.543Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -2127,7 +2062,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.546Z",
         "auditd.log.entries": 3,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2152,7 +2086,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.546Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -2196,7 +2129,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.548Z",
         "auditd.log.entries": 4,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2221,7 +2153,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.548Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -2265,7 +2196,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.552Z",
         "auditd.log.entries": 4,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2290,7 +2220,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.552Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -2334,7 +2263,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.553Z",
         "auditd.log.entries": 5,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2359,7 +2287,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.553Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "29",
         "auditd.log.a2": "40",
@@ -2403,7 +2330,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.556Z",
         "auditd.log.entries": 5,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2428,7 +2354,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.556Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "29",
         "auditd.log.a2": "40",
@@ -2472,7 +2397,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.557Z",
         "auditd.log.entries": 6,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2497,7 +2421,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.557Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "29",
         "auditd.log.a2": "40",
@@ -2541,7 +2464,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.560Z",
         "auditd.log.entries": 6,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2566,7 +2488,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.560Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "29",
         "auditd.log.a2": "40",
@@ -2610,7 +2531,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.562Z",
         "auditd.log.entries": 4,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2635,7 +2555,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.562Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "29",
         "auditd.log.a2": "40",
@@ -2679,7 +2598,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.566Z",
         "auditd.log.entries": 4,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2704,7 +2622,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.566Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "29",
         "auditd.log.a2": "40",
@@ -2748,7 +2665,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.569Z",
         "auditd.log.entries": 3,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2773,7 +2689,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.569Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "29",
         "auditd.log.a2": "40",
@@ -2817,7 +2732,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.573Z",
         "auditd.log.entries": 3,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2842,7 +2756,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.573Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "29",
         "auditd.log.a2": "40",
@@ -2886,7 +2799,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.575Z",
         "auditd.log.entries": 4,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2911,7 +2823,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.575Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "29",
         "auditd.log.a2": "40",
@@ -2955,7 +2866,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.578Z",
         "auditd.log.entries": 4,
         "auditd.log.family": "10",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -2980,7 +2890,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.578Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "29",
         "auditd.log.a2": "40",
@@ -3024,7 +2933,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.580Z",
         "auditd.log.entries": 6,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -3049,7 +2957,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.580Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -3093,7 +3000,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.582Z",
         "auditd.log.entries": 6,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -3118,7 +3024,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.582Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -3162,7 +3067,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.583Z",
         "auditd.log.entries": 6,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -3187,7 +3091,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.583Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -3231,7 +3134,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.585Z",
         "auditd.log.entries": 6,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
@@ -3256,7 +3158,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.585Z",
         "auditd.log.a0": "4",
         "auditd.log.a1": "0",
         "auditd.log.a2": "40",
@@ -3300,7 +3201,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2016-12-07T02:16:25.587Z",
         "auditd.log.entries": 6,
         "auditd.log.family": "2",
         "auditd.log.record_type": "NETFILTER_CFG",
diff --git a/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json b/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json
index 3c749e10d58d..d4660c1e4195 100644
--- a/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json
+++ b/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json
@@ -1,6 +1,5 @@
 [
     {
-        "@timestamp": "2017-04-21T05:28:40.441Z",
         "auditd.log.a0": "3",
         "auditd.log.a1": "7ffd0dc80040",
         "auditd.log.a2": "7ffd0dc7ffd0",
@@ -45,7 +44,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2017-04-21T05:28:40.441Z",
         "auditd.log.saddr": "0200E31C4853E6640000000000000000",
         "auditd.log.sequence": 8832,
         "event.action": "sockaddr",
@@ -59,7 +57,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2017-04-21T05:28:40.441Z",
         "auditd.log.proctitle": "(sshd)",
         "auditd.log.sequence": 8832,
         "event.action": "proctitle",
@@ -73,7 +70,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2017-04-21T05:38:27.096Z",
         "auditd.log.a0": "5",
         "auditd.log.a1": "7ffc12ac3ab0",
         "auditd.log.a2": "10",
@@ -118,7 +114,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2017-04-21T05:38:27.096Z",
         "auditd.log.saddr": "02000050A9FEA9FE0000000000000000",
         "auditd.log.sequence": 9004,
         "event.action": "sockaddr",
@@ -132,7 +127,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2017-04-21T05:38:27.096Z",
         "auditd.log.proctitle": "(g_daemon)",
         "auditd.log.sequence": 9004,
         "event.action": "proctitle",
diff --git a/filebeat/module/auditd/log/test/avc.log-expected.json b/filebeat/module/auditd/log/test/avc.log-expected.json
index 3179d7f8b092..bf893021e231 100644
--- a/filebeat/module/auditd/log/test/avc.log-expected.json
+++ b/filebeat/module/auditd/log/test/avc.log-expected.json
@@ -1,6 +1,5 @@
 [
     {
-        "@timestamp": "2008-11-16T22:21:13.147Z",
         "auditd.log.dev": "dm-0",
         "auditd.log.ino": "284133",
         "auditd.log.path": "/var/www/html/file1",
@@ -21,7 +20,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2018-04-25T13:28:53.080Z",
         "auditd.log.apparmor": "DENIED",
         "auditd.log.denied_mask": "trace",
         "auditd.log.operation": "ptrace",
@@ -45,7 +43,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2018-04-25T13:28:53.080Z",
         "auditd.log.record_type": "AVC",
         "auditd.log.sequence": 61207,
         "auditd.log.seresult": "1",
diff --git a/filebeat/module/auditd/log/test/execve.log b/filebeat/module/auditd/log/test/execve.log
new file mode 100644
index 000000000000..c899c8427237
--- /dev/null
+++ b/filebeat/module/auditd/log/test/execve.log
@@ -0,0 +1,91 @@
+type=EXECVE msg=audit(1481077231.371:479): argc=7 a0="auditctl" a1="-a" a2="exit,always" a3="-F" a4="arch=b32" a5="-S" a6="execve"
+type=EXECVE msg=audit(1481077231.372:481): argc=3 a0="auditctl" a1="-e" a2="1"
+type=EXECVE msg=audit(1481077232.471:485): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077253.941:486): argc=3 a0="/usr/sbin/sshd" a1="-D" a2="-R"
+type=EXECVE msg=audit(1481077254.135:493): argc=3 a0="/usr/sbin/unix_chkpwd" a1="some_user" a2="chkexpiry"
+type=EXECVE msg=audit(1481077254.258:507): argc=1 a0="-bash"
+type=EXECVE msg=audit(1481077254.261:508): argc=2 a0="id" a1="-un"
+type=EXECVE msg=audit(1481077254.264:509): argc=1 a0="/usr/bin/hostname"
+type=EXECVE msg=audit(1481077254.265:510): argc=2 a0="id" a1="-gn"
+type=EXECVE msg=audit(1481077254.266:511): argc=2 a0="id" a1="-un"
+type=EXECVE msg=audit(1481077254.268:512): argc=3 a0="/bin/sh" a1="/usr/libexec/grepconf.sh" a2="-c"
+type=EXECVE msg=audit(1481077254.269:513): argc=4 a0="grep" a1="-qsi" a2="^COLOR.*none" a3="/etc/GREP_COLORS"
+type=EXECVE msg=audit(1481077254.270:514): argc=2 a0="/usr/bin/tty" a1="-s"
+type=EXECVE msg=audit(1481077254.271:515): argc=2 a0="/usr/bin/tput" a1="colors"
+type=EXECVE msg=audit(1481077254.273:516): argc=3 a0="/usr/bin/dircolors" a1="--sh" a2="/etc/DIR_COLORS.256color"
+type=EXECVE msg=audit(1481077254.274:517): argc=4 a0="/usr/bin/grep" a1="-qi" a2="^COLOR.*none" a3="/etc/DIR_COLORS.256color"
+type=EXECVE msg=audit(1481077254.276:518): argc=2 a0="/usr/bin/id" a1="-u"
+type=EXECVE msg=audit(1481077267.546:519): argc=2 a0="/sbin/restorecon" a1="/home/some_user"
+type=EXECVE msg=audit(1481077267.553:520): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh"
+type=EXECVE msg=audit(1481077267.557:521): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh/authorized_keys"
+type=EXECVE msg=audit(1481077267.561:522): argc=2 a0="/sbin/restorecon" a1="/var/lib/google/google_users"
+type=EXECVE msg=audit(1481077278.176:525): argc=2 a0="vim" a1="audit.yaml"
+type=EXECVE msg=audit(1481077292.487:528): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077308.360:529): argc=4 a0="sudo" a1="./go-audit" a2="-config" a3="audit.yaml"
+type=EXECVE msg=audit(1481077308.371:533): argc=3 a0="./go-audit" a1="-config" a2="audit.yaml"
+type=EXECVE msg=audit(1481077308.376:534): argc=2 a0="auditctl" a1="-D"
+type=EXECVE msg=audit(1481077308.378:538): argc=7 a0="auditctl" a1="-a" a2="exit,always" a3="-F" a4="arch=b32" a5="-S" a6="execve"
+type=EXECVE msg=audit(1481077308.379:540): argc=3 a0="auditctl" a1="-e" a2="1"
+type=EXECVE msg=audit(1481077317.921:542): argc=2 a0="./go-audit" a1="-h"
+type=EXECVE msg=audit(1481077334.297:543): argc=2 a0="sudo" a1="su"
+type=EXECVE msg=audit(1481077334.304:547): argc=1 a0="su"
+type=EXECVE msg=audit(1481077334.330:552): argc=1 a0="bash"
+type=EXECVE msg=audit(1481077334.334:553): argc=3 a0="/bin/sh" a1="/usr/libexec/grepconf.sh" a2="-c"
+type=EXECVE msg=audit(1481077334.335:554): argc=4 a0="grep" a1="-qsi" a2="^COLOR.*none" a3="/etc/GREP_COLORS"
+type=EXECVE msg=audit(1481077334.336:555): argc=2 a0="/usr/bin/tty" a1="-s"
+type=EXECVE msg=audit(1481077334.337:556): argc=2 a0="/usr/bin/tput" a1="colors"
+type=EXECVE msg=audit(1481077334.338:557): argc=3 a0="/usr/bin/dircolors" a1="--sh" a2="/etc/DIR_COLORS.256color"
+type=EXECVE msg=audit(1481077334.339:558): argc=4 a0="/usr/bin/grep" a1="-qi" a2="^COLOR.*none" a3="/etc/DIR_COLORS.256color"
+type=EXECVE msg=audit(1481077334.341:559): argc=2 a0="/usr/bin/id" a1="-u"
+type=EXECVE msg=audit(1481077336.705:560): argc=2 a0="./go-audit" a1="-h"
+type=EXECVE msg=audit(1481077352.504:563): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077356.580:564): argc=2 a0="/sbin/restorecon" a1="/home/some_user"
+type=EXECVE msg=audit(1481077356.585:565): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh"
+type=EXECVE msg=audit(1481077356.590:566): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh/authorized_keys"
+type=EXECVE msg=audit(1481077356.593:567): argc=2 a0="/sbin/restorecon" a1="/var/lib/google/google_users"
+type=EXECVE msg=audit(1481077412.521:570): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077445.611:571): argc=2 a0="/sbin/restorecon" a1="/home/some_user"
+type=EXECVE msg=audit(1481077445.615:572): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh"
+type=EXECVE msg=audit(1481077445.619:573): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh/authorized_keys"
+type=EXECVE msg=audit(1481077445.622:574): argc=2 a0="/sbin/restorecon" a1="/var/lib/google/google_users"
+type=EXECVE msg=audit(1481077472.536:577): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077532.552:580): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077534.641:581): argc=2 a0="/sbin/restorecon" a1="/home/some_user"
+type=EXECVE msg=audit(1481077534.645:582): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh"
+type=EXECVE msg=audit(1481077534.648:583): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh/authorized_keys"
+type=EXECVE msg=audit(1481077534.652:584): argc=2 a0="/sbin/restorecon" a1="/var/lib/google/google_users"
+type=EXECVE msg=audit(1481077592.568:587): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077623.670:588): argc=2 a0="/sbin/restorecon" a1="/home/some_user"
+type=EXECVE msg=audit(1481077623.674:589): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh"
+type=EXECVE msg=audit(1481077623.678:590): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh/authorized_keys"
+type=EXECVE msg=audit(1481077623.681:591): argc=2 a0="/sbin/restorecon" a1="/var/lib/google/google_users"
+type=EXECVE msg=audit(1481077652.585:594): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077708.279:597): argc=2 a0="vim" a1="audit.yaml"
+type=EXECVE msg=audit(1481077712.602:600): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077712.699:601): argc=2 a0="/sbin/restorecon" a1="/home/some_user"
+type=EXECVE msg=audit(1481077712.703:602): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh"
+type=EXECVE msg=audit(1481077712.707:603): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh/authorized_keys"
+type=EXECVE msg=audit(1481077712.710:604): argc=2 a0="/sbin/restorecon" a1="/var/lib/google/google_users"
+type=EXECVE msg=audit(1481077772.619:607): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077801.729:608): argc=2 a0="/sbin/restorecon" a1="/home/some_user"
+type=EXECVE msg=audit(1481077801.733:609): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh"
+type=EXECVE msg=audit(1481077801.737:610): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh/authorized_keys"
+type=EXECVE msg=audit(1481077801.740:611): argc=2 a0="/sbin/restorecon" a1="/var/lib/google/google_users"
+type=EXECVE msg=audit(1481077832.635:614): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077889.545:615): argc=2 a0="/usr/bin/systemd-tmpfiles" a1="--clean"
+type=EXECVE msg=audit(1481077890.759:618): argc=2 a0="/sbin/restorecon" a1="/home/some_user"
+type=EXECVE msg=audit(1481077890.765:619): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh"
+type=EXECVE msg=audit(1481077890.769:620): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh/authorized_keys"
+type=EXECVE msg=audit(1481077890.772:621): argc=2 a0="/sbin/restorecon" a1="/var/lib/google/google_users"
+type=EXECVE msg=audit(1481077892.652:624): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077952.668:627): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481077979.791:628): argc=2 a0="/sbin/restorecon" a1="/home/some_user"
+type=EXECVE msg=audit(1481077979.795:629): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh"
+type=EXECVE msg=audit(1481077979.799:630): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh/authorized_keys"
+type=EXECVE msg=audit(1481077979.802:631): argc=2 a0="/sbin/restorecon" a1="/var/lib/google/google_users"
+type=EXECVE msg=audit(1481078012.684:634): argc=13 a0="ip" a1="route" a2="ls" a3="table" a4="local" a5="type" a6="local" a7="scope" a8="host" a9="dev" a10="eth0" a11="proto" a12="66"
+type=EXECVE msg=audit(1481078068.821:635): argc=2 a0="/sbin/restorecon" a1="/home/some_user"
+type=EXECVE msg=audit(1481078068.825:636): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh"
+type=EXECVE msg=audit(1481078068.829:637): argc=2 a0="/sbin/restorecon" a1="/home/some_user/.ssh/authorized_keys"
+type=EXECVE msg=audit(1481078068.832:638): argc=2 a0="/sbin/restorecon" a1="/var/lib/google/google_users"
+type=EXECVE msg=audit(1481078069.999:639): argc=101 a0="/sbin/test" a1="/arg1" a2="/arg2" a3="/arg3" a4="/arg4" a5="/arg5" a6="/arg6" a7="/arg7" a8="/arg8" a9="/arg9" a10="/arg10" a11="/arg11" a12="/arg12" a13="/arg13" a14="/arg14" a15="/arg15" a16="/arg16" a17="/arg17" a18="/arg18" a19="/arg19" a20="/arg20" a21="/arg21" a22="/arg22" a23="/arg23" a24="/arg24" a25="/arg25" a26="/arg26" a27="/arg27" a28="/arg28" a29="/arg29" a30="/arg30" a31="/arg31" a32="/arg32" a33="/arg33" a34="/arg34" a35="/arg35" a36="/arg36" a37="/arg37" a38="/arg38" a39="/arg39" a40="/arg40" a41="/arg41" a42="/arg42" a43="/arg43" a44="/arg44" a45="/arg45" a46="/arg46" a47="/arg47" a48="/arg48" a49="/arg49" a50="/arg50" a51="/arg51" a52="/arg52" a53="/arg53" a54="/arg54" a55="/arg55" a56="/arg56" a57="/arg57" a58="/arg58" a59="/arg59" a60="/arg60" a61="/arg61" a62="/arg62" a63="/arg63" a64="/arg64" a65="/arg65" a66="/arg66" a67="/arg67" a68="/arg68" a69="/arg69" a70="/arg70" a71="/arg71" a72="/arg72" a73="/arg73" a74="/arg74" a75="/arg75" a76="/arg76" a77="/arg77" a78="/arg78" a79="/arg79" a80="/arg80" a81="/arg81" a82="/arg82" a83="/arg83" a84="/arg84" a85="/arg85" a86="/arg86" a87="/arg87" a88="/arg88" a89="/arg89" a90="/arg90" a91="/arg91" a92="/arg92" a93="/arg93" a94="/arg94" a95="/arg95" a96="/arg96" a97="/arg97" a98="/arg98" a99="/arg99"
diff --git a/filebeat/module/auditd/log/test/execve.log-expected.json b/filebeat/module/auditd/log/test/execve.log-expected.json
new file mode 100644
index 000000000000..0dfcb755fcdd
--- /dev/null
+++ b/filebeat/module/auditd/log/test/execve.log-expected.json
@@ -0,0 +1,1917 @@
+[
+    {
+        "auditd.log.sequence": 479,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077231.371:479): argc=7 a0=\"auditctl\" a1=\"-a\" a2=\"exit,always\" a3=\"-F\" a4=\"arch=b32\" a5=\"-S\" a6=\"execve\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 0,
+        "process.args": [
+            "auditctl",
+            "-a",
+            "exit,always",
+            "-F",
+            "arch=b32",
+            "-S",
+            "execve"
+        ],
+        "process.args_count": 7,
+        "process.executable": "auditctl",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 481,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077231.372:481): argc=3 a0=\"auditctl\" a1=\"-e\" a2=\"1\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 131,
+        "process.args": [
+            "auditctl",
+            "-e",
+            "1"
+        ],
+        "process.args_count": 3,
+        "process.executable": "auditctl",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 485,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077232.471:485): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 210,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 486,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077253.941:486): argc=3 a0=\"/usr/sbin/sshd\" a1=\"-D\" a2=\"-R\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 393,
+        "process.args": [
+            "/usr/sbin/sshd",
+            "-D",
+            "-R"
+        ],
+        "process.args_count": 3,
+        "process.executable": "/usr/sbin/sshd",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 493,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.135:493): argc=3 a0=\"/usr/sbin/unix_chkpwd\" a1=\"some_user\" a2=\"chkexpiry\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 479,
+        "process.args": [
+            "/usr/sbin/unix_chkpwd",
+            "some_user",
+            "chkexpiry"
+        ],
+        "process.args_count": 3,
+        "process.executable": "/usr/sbin/unix_chkpwd",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 507,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.258:507): argc=1 a0=\"-bash\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 586,
+        "process.args": [
+            "-bash"
+        ],
+        "process.args_count": 1,
+        "process.executable": "-bash",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 508,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.261:508): argc=2 a0=\"id\" a1=\"-un\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 647,
+        "process.args": [
+            "id",
+            "-un"
+        ],
+        "process.args_count": 2,
+        "process.executable": "id",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 509,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.264:509): argc=1 a0=\"/usr/bin/hostname\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 714,
+        "process.args": [
+            "/usr/bin/hostname"
+        ],
+        "process.args_count": 1,
+        "process.executable": "/usr/bin/hostname",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 510,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.265:510): argc=2 a0=\"id\" a1=\"-gn\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 787,
+        "process.args": [
+            "id",
+            "-gn"
+        ],
+        "process.args_count": 2,
+        "process.executable": "id",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 511,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.266:511): argc=2 a0=\"id\" a1=\"-un\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 854,
+        "process.args": [
+            "id",
+            "-un"
+        ],
+        "process.args_count": 2,
+        "process.executable": "id",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 512,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.268:512): argc=3 a0=\"/bin/sh\" a1=\"/usr/libexec/grepconf.sh\" a2=\"-c\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 921,
+        "process.args": [
+            "/bin/sh",
+            "/usr/libexec/grepconf.sh",
+            "-c"
+        ],
+        "process.args_count": 3,
+        "process.executable": "/bin/sh",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 513,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.269:513): argc=4 a0=\"grep\" a1=\"-qsi\" a2=\"^COLOR.*none\" a3=\"/etc/GREP_COLORS\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1022,
+        "process.args": [
+            "grep",
+            "-qsi",
+            "^COLOR.*none",
+            "/etc/GREP_COLORS"
+        ],
+        "process.args_count": 4,
+        "process.executable": "grep",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 514,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.270:514): argc=2 a0=\"/usr/bin/tty\" a1=\"-s\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1132,
+        "process.args": [
+            "/usr/bin/tty",
+            "-s"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/usr/bin/tty",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 515,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.271:515): argc=2 a0=\"/usr/bin/tput\" a1=\"colors\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1208,
+        "process.args": [
+            "/usr/bin/tput",
+            "colors"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/usr/bin/tput",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 516,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.273:516): argc=3 a0=\"/usr/bin/dircolors\" a1=\"--sh\" a2=\"/etc/DIR_COLORS.256color\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1289,
+        "process.args": [
+            "/usr/bin/dircolors",
+            "--sh",
+            "/etc/DIR_COLORS.256color"
+        ],
+        "process.args_count": 3,
+        "process.executable": "/usr/bin/dircolors",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 517,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.274:517): argc=4 a0=\"/usr/bin/grep\" a1=\"-qi\" a2=\"^COLOR.*none\" a3=\"/etc/DIR_COLORS.256color\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1403,
+        "process.args": [
+            "/usr/bin/grep",
+            "-qi",
+            "^COLOR.*none",
+            "/etc/DIR_COLORS.256color"
+        ],
+        "process.args_count": 4,
+        "process.executable": "/usr/bin/grep",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 518,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077254.276:518): argc=2 a0=\"/usr/bin/id\" a1=\"-u\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1529,
+        "process.args": [
+            "/usr/bin/id",
+            "-u"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/usr/bin/id",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 519,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077267.546:519): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1604,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 520,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077267.553:520): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1697,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 521,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077267.557:521): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh/authorized_keys\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1795,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh/authorized_keys"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 522,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077267.561:522): argc=2 a0=\"/sbin/restorecon\" a1=\"/var/lib/google/google_users\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 1909,
+        "process.args": [
+            "/sbin/restorecon",
+            "/var/lib/google/google_users"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 525,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077278.176:525): argc=2 a0=\"vim\" a1=\"audit.yaml\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2015,
+        "process.args": [
+            "vim",
+            "audit.yaml"
+        ],
+        "process.args_count": 2,
+        "process.executable": "vim",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 528,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077292.487:528): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2090,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 529,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077308.360:529): argc=4 a0=\"sudo\" a1=\"./go-audit\" a2=\"-config\" a3=\"audit.yaml\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2273,
+        "process.args": [
+            "sudo",
+            "./go-audit",
+            "-config",
+            "audit.yaml"
+        ],
+        "process.args_count": 4,
+        "process.executable": "sudo",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 533,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077308.371:533): argc=3 a0=\"./go-audit\" a1=\"-config\" a2=\"audit.yaml\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2378,
+        "process.args": [
+            "./go-audit",
+            "-config",
+            "audit.yaml"
+        ],
+        "process.args_count": 3,
+        "process.executable": "./go-audit",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 534,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077308.376:534): argc=2 a0=\"auditctl\" a1=\"-D\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2473,
+        "process.args": [
+            "auditctl",
+            "-D"
+        ],
+        "process.args_count": 2,
+        "process.executable": "auditctl",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 538,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077308.378:538): argc=7 a0=\"auditctl\" a1=\"-a\" a2=\"exit,always\" a3=\"-F\" a4=\"arch=b32\" a5=\"-S\" a6=\"execve\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2545,
+        "process.args": [
+            "auditctl",
+            "-a",
+            "exit,always",
+            "-F",
+            "arch=b32",
+            "-S",
+            "execve"
+        ],
+        "process.args_count": 7,
+        "process.executable": "auditctl",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 540,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077308.379:540): argc=3 a0=\"auditctl\" a1=\"-e\" a2=\"1\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2676,
+        "process.args": [
+            "auditctl",
+            "-e",
+            "1"
+        ],
+        "process.args_count": 3,
+        "process.executable": "auditctl",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 542,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077317.921:542): argc=2 a0=\"./go-audit\" a1=\"-h\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2755,
+        "process.args": [
+            "./go-audit",
+            "-h"
+        ],
+        "process.args_count": 2,
+        "process.executable": "./go-audit",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 543,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077334.297:543): argc=2 a0=\"sudo\" a1=\"su\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2829,
+        "process.args": [
+            "sudo",
+            "su"
+        ],
+        "process.args_count": 2,
+        "process.executable": "sudo",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 547,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077334.304:547): argc=1 a0=\"su\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2897,
+        "process.args": [
+            "su"
+        ],
+        "process.args_count": 1,
+        "process.executable": "su",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 552,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077334.330:552): argc=1 a0=\"bash\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 2955,
+        "process.args": [
+            "bash"
+        ],
+        "process.args_count": 1,
+        "process.executable": "bash",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 553,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077334.334:553): argc=3 a0=\"/bin/sh\" a1=\"/usr/libexec/grepconf.sh\" a2=\"-c\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 3015,
+        "process.args": [
+            "/bin/sh",
+            "/usr/libexec/grepconf.sh",
+            "-c"
+        ],
+        "process.args_count": 3,
+        "process.executable": "/bin/sh",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 554,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077334.335:554): argc=4 a0=\"grep\" a1=\"-qsi\" a2=\"^COLOR.*none\" a3=\"/etc/GREP_COLORS\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 3116,
+        "process.args": [
+            "grep",
+            "-qsi",
+            "^COLOR.*none",
+            "/etc/GREP_COLORS"
+        ],
+        "process.args_count": 4,
+        "process.executable": "grep",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 555,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077334.336:555): argc=2 a0=\"/usr/bin/tty\" a1=\"-s\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 3226,
+        "process.args": [
+            "/usr/bin/tty",
+            "-s"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/usr/bin/tty",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 556,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077334.337:556): argc=2 a0=\"/usr/bin/tput\" a1=\"colors\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 3302,
+        "process.args": [
+            "/usr/bin/tput",
+            "colors"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/usr/bin/tput",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 557,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077334.338:557): argc=3 a0=\"/usr/bin/dircolors\" a1=\"--sh\" a2=\"/etc/DIR_COLORS.256color\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 3383,
+        "process.args": [
+            "/usr/bin/dircolors",
+            "--sh",
+            "/etc/DIR_COLORS.256color"
+        ],
+        "process.args_count": 3,
+        "process.executable": "/usr/bin/dircolors",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 558,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077334.339:558): argc=4 a0=\"/usr/bin/grep\" a1=\"-qi\" a2=\"^COLOR.*none\" a3=\"/etc/DIR_COLORS.256color\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 3497,
+        "process.args": [
+            "/usr/bin/grep",
+            "-qi",
+            "^COLOR.*none",
+            "/etc/DIR_COLORS.256color"
+        ],
+        "process.args_count": 4,
+        "process.executable": "/usr/bin/grep",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 559,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077334.341:559): argc=2 a0=\"/usr/bin/id\" a1=\"-u\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 3623,
+        "process.args": [
+            "/usr/bin/id",
+            "-u"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/usr/bin/id",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 560,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077336.705:560): argc=2 a0=\"./go-audit\" a1=\"-h\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 3698,
+        "process.args": [
+            "./go-audit",
+            "-h"
+        ],
+        "process.args_count": 2,
+        "process.executable": "./go-audit",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 563,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077352.504:563): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 3772,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 564,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077356.580:564): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 3955,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 565,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077356.585:565): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 4048,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 566,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077356.590:566): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh/authorized_keys\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 4146,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh/authorized_keys"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 567,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077356.593:567): argc=2 a0=\"/sbin/restorecon\" a1=\"/var/lib/google/google_users\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 4260,
+        "process.args": [
+            "/sbin/restorecon",
+            "/var/lib/google/google_users"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 570,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077412.521:570): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 4366,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 571,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077445.611:571): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 4549,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 572,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077445.615:572): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 4642,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 573,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077445.619:573): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh/authorized_keys\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 4740,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh/authorized_keys"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 574,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077445.622:574): argc=2 a0=\"/sbin/restorecon\" a1=\"/var/lib/google/google_users\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 4854,
+        "process.args": [
+            "/sbin/restorecon",
+            "/var/lib/google/google_users"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 577,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077472.536:577): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 4960,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 580,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077532.552:580): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 5143,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 581,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077534.641:581): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 5326,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 582,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077534.645:582): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 5419,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 583,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077534.648:583): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh/authorized_keys\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 5517,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh/authorized_keys"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 584,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077534.652:584): argc=2 a0=\"/sbin/restorecon\" a1=\"/var/lib/google/google_users\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 5631,
+        "process.args": [
+            "/sbin/restorecon",
+            "/var/lib/google/google_users"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 587,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077592.568:587): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 5737,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 588,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077623.670:588): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 5920,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 589,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077623.674:589): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 6013,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 590,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077623.678:590): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh/authorized_keys\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 6111,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh/authorized_keys"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 591,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077623.681:591): argc=2 a0=\"/sbin/restorecon\" a1=\"/var/lib/google/google_users\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 6225,
+        "process.args": [
+            "/sbin/restorecon",
+            "/var/lib/google/google_users"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 594,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077652.585:594): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 6331,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 597,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077708.279:597): argc=2 a0=\"vim\" a1=\"audit.yaml\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 6514,
+        "process.args": [
+            "vim",
+            "audit.yaml"
+        ],
+        "process.args_count": 2,
+        "process.executable": "vim",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 600,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077712.602:600): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 6589,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 601,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077712.699:601): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 6772,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 602,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077712.703:602): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 6865,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 603,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077712.707:603): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh/authorized_keys\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 6963,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh/authorized_keys"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 604,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077712.710:604): argc=2 a0=\"/sbin/restorecon\" a1=\"/var/lib/google/google_users\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 7077,
+        "process.args": [
+            "/sbin/restorecon",
+            "/var/lib/google/google_users"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 607,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077772.619:607): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 7183,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 608,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077801.729:608): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 7366,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 609,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077801.733:609): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 7459,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 610,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077801.737:610): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh/authorized_keys\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 7557,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh/authorized_keys"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 611,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077801.740:611): argc=2 a0=\"/sbin/restorecon\" a1=\"/var/lib/google/google_users\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 7671,
+        "process.args": [
+            "/sbin/restorecon",
+            "/var/lib/google/google_users"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 614,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077832.635:614): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 7777,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 615,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077889.545:615): argc=2 a0=\"/usr/bin/systemd-tmpfiles\" a1=\"--clean\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 7960,
+        "process.args": [
+            "/usr/bin/systemd-tmpfiles",
+            "--clean"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/usr/bin/systemd-tmpfiles",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 618,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077890.759:618): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 8054,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 619,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077890.765:619): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 8147,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 620,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077890.769:620): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh/authorized_keys\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 8245,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh/authorized_keys"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 621,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077890.772:621): argc=2 a0=\"/sbin/restorecon\" a1=\"/var/lib/google/google_users\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 8359,
+        "process.args": [
+            "/sbin/restorecon",
+            "/var/lib/google/google_users"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 624,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077892.652:624): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 8465,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 627,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077952.668:627): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 8648,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 628,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077979.791:628): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 8831,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 629,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077979.795:629): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 8924,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 630,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077979.799:630): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh/authorized_keys\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 9022,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh/authorized_keys"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 631,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481077979.802:631): argc=2 a0=\"/sbin/restorecon\" a1=\"/var/lib/google/google_users\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 9136,
+        "process.args": [
+            "/sbin/restorecon",
+            "/var/lib/google/google_users"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 634,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481078012.684:634): argc=13 a0=\"ip\" a1=\"route\" a2=\"ls\" a3=\"table\" a4=\"local\" a5=\"type\" a6=\"local\" a7=\"scope\" a8=\"host\" a9=\"dev\" a10=\"eth0\" a11=\"proto\" a12=\"66\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 9242,
+        "process.args": [
+            "ip",
+            "route",
+            "ls",
+            "table",
+            "local",
+            "type",
+            "local",
+            "scope",
+            "host",
+            "dev",
+            "eth0",
+            "proto",
+            "66"
+        ],
+        "process.args_count": 13,
+        "process.executable": "ip",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 635,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481078068.821:635): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 9425,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 636,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481078068.825:636): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 9518,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 637,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481078068.829:637): argc=2 a0=\"/sbin/restorecon\" a1=\"/home/some_user/.ssh/authorized_keys\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 9616,
+        "process.args": [
+            "/sbin/restorecon",
+            "/home/some_user/.ssh/authorized_keys"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 638,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481078068.832:638): argc=2 a0=\"/sbin/restorecon\" a1=\"/var/lib/google/google_users\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 9730,
+        "process.args": [
+            "/sbin/restorecon",
+            "/var/lib/google/google_users"
+        ],
+        "process.args_count": 2,
+        "process.executable": "/sbin/restorecon",
+        "service.type": "auditd"
+    },
+    {
+        "auditd.log.sequence": 639,
+        "event.action": "execve",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "event.original": "type=EXECVE msg=audit(1481078069.999:639): argc=101 a0=\"/sbin/test\" a1=\"/arg1\" a2=\"/arg2\" a3=\"/arg3\" a4=\"/arg4\" a5=\"/arg5\" a6=\"/arg6\" a7=\"/arg7\" a8=\"/arg8\" a9=\"/arg9\" a10=\"/arg10\" a11=\"/arg11\" a12=\"/arg12\" a13=\"/arg13\" a14=\"/arg14\" a15=\"/arg15\" a16=\"/arg16\" a17=\"/arg17\" a18=\"/arg18\" a19=\"/arg19\" a20=\"/arg20\" a21=\"/arg21\" a22=\"/arg22\" a23=\"/arg23\" a24=\"/arg24\" a25=\"/arg25\" a26=\"/arg26\" a27=\"/arg27\" a28=\"/arg28\" a29=\"/arg29\" a30=\"/arg30\" a31=\"/arg31\" a32=\"/arg32\" a33=\"/arg33\" a34=\"/arg34\" a35=\"/arg35\" a36=\"/arg36\" a37=\"/arg37\" a38=\"/arg38\" a39=\"/arg39\" a40=\"/arg40\" a41=\"/arg41\" a42=\"/arg42\" a43=\"/arg43\" a44=\"/arg44\" a45=\"/arg45\" a46=\"/arg46\" a47=\"/arg47\" a48=\"/arg48\" a49=\"/arg49\" a50=\"/arg50\" a51=\"/arg51\" a52=\"/arg52\" a53=\"/arg53\" a54=\"/arg54\" a55=\"/arg55\" a56=\"/arg56\" a57=\"/arg57\" a58=\"/arg58\" a59=\"/arg59\" a60=\"/arg60\" a61=\"/arg61\" a62=\"/arg62\" a63=\"/arg63\" a64=\"/arg64\" a65=\"/arg65\" a66=\"/arg66\" a67=\"/arg67\" a68=\"/arg68\" a69=\"/arg69\" a70=\"/arg70\" a71=\"/arg71\" a72=\"/arg72\" a73=\"/arg73\" a74=\"/arg74\" a75=\"/arg75\" a76=\"/arg76\" a77=\"/arg77\" a78=\"/arg78\" a79=\"/arg79\" a80=\"/arg80\" a81=\"/arg81\" a82=\"/arg82\" a83=\"/arg83\" a84=\"/arg84\" a85=\"/arg85\" a86=\"/arg86\" a87=\"/arg87\" a88=\"/arg88\" a89=\"/arg89\" a90=\"/arg90\" a91=\"/arg91\" a92=\"/arg92\" a93=\"/arg93\" a94=\"/arg94\" a95=\"/arg95\" a96=\"/arg96\" a97=\"/arg97\" a98=\"/arg98\" a99=\"/arg99\"",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 9836,
+        "process.args": [
+            "/sbin/test",
+            "/arg1",
+            "/arg2",
+            "/arg3",
+            "/arg4",
+            "/arg5",
+            "/arg6",
+            "/arg7",
+            "/arg8",
+            "/arg9",
+            "/arg10",
+            "/arg11",
+            "/arg12",
+            "/arg13",
+            "/arg14",
+            "/arg15",
+            "/arg16",
+            "/arg17",
+            "/arg18",
+            "/arg19",
+            "/arg20",
+            "/arg21",
+            "/arg22",
+            "/arg23",
+            "/arg24",
+            "/arg25",
+            "/arg26",
+            "/arg27",
+            "/arg28",
+            "/arg29",
+            "/arg30",
+            "/arg31",
+            "/arg32",
+            "/arg33",
+            "/arg34",
+            "/arg35",
+            "/arg36",
+            "/arg37",
+            "/arg38",
+            "/arg39",
+            "/arg40",
+            "/arg41",
+            "/arg42",
+            "/arg43",
+            "/arg44",
+            "/arg45",
+            "/arg46",
+            "/arg47",
+            "/arg48",
+            "/arg49",
+            "/arg50",
+            "/arg51",
+            "/arg52",
+            "/arg53",
+            "/arg54",
+            "/arg55",
+            "/arg56",
+            "/arg57",
+            "/arg58",
+            "/arg59",
+            "/arg60",
+            "/arg61",
+            "/arg62",
+            "/arg63",
+            "/arg64",
+            "/arg65",
+            "/arg66",
+            "/arg67",
+            "/arg68",
+            "/arg69",
+            "/arg70",
+            "/arg71",
+            "/arg72",
+            "/arg73",
+            "/arg74",
+            "/arg75",
+            "/arg76",
+            "/arg77",
+            "/arg78",
+            "/arg79",
+            "/arg80",
+            "/arg81",
+            "/arg82",
+            "/arg83",
+            "/arg84",
+            "/arg85",
+            "/arg86",
+            "/arg87",
+            "/arg88",
+            "/arg89",
+            "/arg90",
+            "/arg91",
+            "/arg92",
+            "/arg93",
+            "/arg94",
+            "/arg95",
+            "/arg96",
+            "/arg97",
+            "/arg98",
+            "/arg99"
+        ],
+        "process.args_count": 101,
+        "process.executable": "/sbin/test",
+        "service.type": "auditd"
+    }
+]
\ No newline at end of file
diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json
index 148499649881..af1e33ca542d 100644
--- a/filebeat/module/auditd/log/test/test.log-expected.json
+++ b/filebeat/module/auditd/log/test/test.log-expected.json
@@ -1,6 +1,5 @@
 [
     {
-        "@timestamp": "2017-01-31T20:17:14.891Z",
         "auditd.log.dst_prefixlen": 16,
         "auditd.log.op": "SPD-delete",
         "auditd.log.sequence": 18877201,
@@ -22,7 +21,6 @@
         "user.audit.id": "4294967295"
     },
     {
-        "@timestamp": "2017-01-31T20:17:14.891Z",
         "auditd.log.a0": "9",
         "auditd.log.a1": "7f564b2672a0",
         "auditd.log.a2": "b8",
@@ -66,7 +64,6 @@
         "user.saved.id": "0"
     },
     {
-        "@timestamp": "2017-03-14T19:20:56.192Z",
         "auditd.log.record_type": "USER_CMD",
         "auditd.log.sequence": 19600329,
         "auditd.log.ses": "11988",
@@ -88,8 +85,8 @@
         "input.type": "log",
         "log.offset": 536,
         "process.args": [
-            "-p",
             "/usr/lib64/nagios/plugins/check_asterisk_sip_peers",
+            "-p",
             "202"
         ],
         "process.args_count": 3,
@@ -100,7 +97,6 @@
         "user.id": "497"
     },
     {
-        "@timestamp": "2016-12-07T02:17:21.515Z",
         "auditd.log.cipher": "chacha20-poly1305@openssh.com",
         "auditd.log.direction": "from-server",
         "auditd.log.ksize": 512,
@@ -150,7 +146,6 @@
         "user.saved.id": "74"
     },
     {
-        "@timestamp": "2017-04-11T15:21:03.550Z",
         "auditd.log.data": "eh^?^?echo test^Mvim /etc/pam.d/password-auth-ac^Mman pam_tty_audit^Mman pam.d^Mvim /etc^Asudo ^E/pamd.sy^?^?^?^?^?.^?m.d/sy^I-a^Ia^?-a^I^Mman pam^Mt^?grep sys^?^?^?/var/lo^Ig/me^Is^I | grep pam_tty^Mgrep pam_tty /var/log/mes^I^M^[[A^Asudo ^Msudo su^M",
         "auditd.log.major": "136",
         "auditd.log.minor": "0",
@@ -174,7 +169,6 @@
         "user.id": "1000"
     },
     {
-        "@timestamp": "2016-01-03T00:37:51.394Z",
         "auditd.log.proctitle": "bash",
         "auditd.log.sequence": 194438,
         "event.action": "proctitle",
@@ -188,7 +182,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2016-01-03T00:37:51.394Z",
         "auditd.log.proctitle": "sshd: burn [priv]",
         "auditd.log.sequence": 194440,
         "event.action": "proctitle",
@@ -202,7 +195,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2019-11-15T19:01:24.309Z",
         "auditd.log.gpg_res": "1",
         "auditd.log.key_enforce": "0",
         "auditd.log.record_type": "SOFTWARE_UPDATE",
@@ -237,7 +229,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2019-11-15T19:00:56.144Z",
         "auditd.log.record_type": "SYSTEM_BOOT",
         "auditd.log.sequence": 5,
         "auditd.log.ses": "4294967295",
@@ -263,7 +254,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2019-11-15T19:01:57.054Z",
         "auditd.log.record_type": "SYSTEM_SHUTDOWN",
         "auditd.log.sequence": 1163,
         "auditd.log.ses": "4294967295",
@@ -289,8 +279,6 @@
         "user.id": "0"
     },
     {
-        "@timestamp": "2020-02-10T21:59:44.206Z",
-        "auditd.log.a0": "top",
         "auditd.log.sequence": 579393,
         "event.action": "execve",
         "event.dataset": "auditd.log",
@@ -300,11 +288,14 @@
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 2688,
+        "process.args": [
+            "top"
+        ],
         "process.args_count": 1,
+        "process.executable": "top",
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2020-02-10T21:59:44.206Z",
         "auditd.log.a0": "0x1fd05c0",
         "auditd.log.a1": "0x1fd2730",
         "auditd.log.a2": "0x1fd4640",
@@ -347,7 +338,6 @@
         "user.saved.id": "vagrant"
     },
     {
-        "@timestamp": "2020-02-10T21:59:44.206Z",
         "auditd.log.name": "mymodule",
         "auditd.log.record_type": "KERN_MODULE",
         "auditd.log.sequence": 579397,
@@ -370,7 +360,6 @@
         "service.type": "auditd"
     },
     {
-        "@timestamp": "2017-12-17T10:44:41.075Z",
         "auditd.log.op": "create",
         "auditd.log.reason": "api",
         "auditd.log.record_type": "VIRT_CONTROL",
@@ -398,7 +387,6 @@
         "user.name": "root"
     },
     {
-        "@timestamp": "2016-12-16T15:45:43.572Z",
         "auditd.log.img-ctx": "system_u:object_r:svirt_image_t:s0:c444,c977",
         "auditd.log.model": "selinux",
         "auditd.log.record_type": "VIRT_MACHINE_ID",
diff --git a/filebeat/module/auditd/log/test/useradd.log-expected.json b/filebeat/module/auditd/log/test/useradd.log-expected.json
index d76ad1288ad5..30d1ad5138c0 100644
--- a/filebeat/module/auditd/log/test/useradd.log-expected.json
+++ b/filebeat/module/auditd/log/test/useradd.log-expected.json
@@ -1,6 +1,5 @@
 [
     {
-        "@timestamp": "2021-01-17T17:12:33.686Z",
         "auditd.log.hostname": "ubuntu-bionic",
         "auditd.log.id": "1004",
         "auditd.log.op": "adding group to /etc/group",
@@ -38,7 +37,6 @@
         "user.terminal": "pts/2"
     },
     {
-        "@timestamp": "2021-01-17T17:12:33.710Z",
         "auditd.log.hostname": "ubuntu-bionic",
         "auditd.log.id": "1004",
         "auditd.log.op": "adding group to /etc/gshadow",
@@ -76,7 +74,6 @@
         "user.terminal": "pts/2"
     },
     {
-        "@timestamp": "2021-01-17T17:12:33.710Z",
         "auditd.log.hostname": "ubuntu-bionic",
         "auditd.log.id": "1004",
         "auditd.log.record_type": "ADD_GROUP",
@@ -113,7 +110,6 @@
         "user.terminal": "pts/2"
     },
     {
-        "@timestamp": "2021-01-17T17:12:33.730Z",
         "auditd.log.hostname": "ubuntu-bionic",
         "auditd.log.id": "1004",
         "auditd.log.op": "adding user",
@@ -151,7 +147,6 @@
         "user.terminal": "pts/2"
     },
     {
-        "@timestamp": "2021-01-17T17:12:33.814Z",
         "auditd.log.hostname": "localhost",
         "auditd.log.record_type": "USER_ACCT",
         "auditd.log.reset": "0",
@@ -188,7 +183,6 @@
         "user.terminal": "/dev/pts/2"
     },
     {
-        "@timestamp": "2021-01-17T17:12:38.174Z",
         "auditd.log.hostname": "ubuntu-bionic",
         "auditd.log.op": "PAM:chauthtok",
         "auditd.log.record_type": "USER_CHAUTHTOK",
@@ -226,7 +220,6 @@
         "user.terminal": "pts/2"
     },
     {
-        "@timestamp": "2021-01-17T17:12:38.178Z",
         "auditd.log.hostname": "ubuntu-bionic",
         "auditd.log.op": "PAM:authentication",
         "auditd.log.record_type": "USER_AUTH",
@@ -262,7 +255,6 @@
         "user.terminal": "pts/2"
     },
     {
-        "@timestamp": "2021-01-17T17:12:38.178Z",
         "auditd.log.hostname": "ubuntu-bionic",
         "auditd.log.op": "PAM:accounting",
         "auditd.log.record_type": "USER_ACCT",
diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py
index b4ee0c7b4872..83769d83d1dc 100644
--- a/filebeat/tests/system/test_modules.py
+++ b/filebeat/tests/system/test_modules.py
@@ -11,6 +11,63 @@
 from parameterized import parameterized
 from deepdiff import DeepDiff
 
+# datasets for which @timestamp is removed due to date missing
+remove_timestamp = {
+    "activemq.audit",
+    "barracuda.spamfirewall",
+    "barracuda.waf",
+    "bluecoat.director",
+    "cef.log",
+    "cisco.asa",
+    "cisco.ios",
+    "citrix.netscaler",
+    "cylance.protect",
+    "f5.bigipafm",
+    "fortinet.clientendpoint",
+    "haproxy.log",
+    "icinga.startup",
+    "imperva.securesphere",
+    "infoblox.nios",
+    "iptables.log",
+    "juniper.junos",
+    "juniper.netscreen",
+    "netscout.sightline",
+    "proofpoint.emailsecurity",
+    "redis.log",
+    "snort.log",
+    "symantec.endpointprotection",
+    "system.auth",
+    "system.syslog",
+    "crowdstrike.falcon_endpoint",
+    "crowdstrike.falcon_audit",
+    "zoom.webhook",
+    "threatintel.otx",
+    "threatintel.abuseurl",
+    "threatintel.abusemalware",
+    "threatintel.anomali",
+    "threatintel.anomalithreatstream",
+    "threatintel.malwarebazaar",
+    "threatintel.recordedfuture",
+    "snyk.vulnerabilities",
+    "snyk.audit",
+    "awsfargate.log",
+}
+
+# dataset + log file pairs for which @timestamp is kept as an exception from above
+remove_timestamp_exception = {
+    ('system.syslog', 'tz-offset.log'),
+    ('system.auth', 'timestamp.log'),
+    ('cisco.asa', 'asa.log'),
+    ('cisco.asa', 'hostnames.log'),
+    ('cisco.asa', 'not-ip.log'),
+    ('cisco.asa', 'sample.log')
+}
+
+# array fields whose order is kept before comparison
+array_fields_dont_sort = {
+    "process.args"
+}
+
 
 def load_fileset_test_cases():
     """
@@ -198,7 +255,7 @@ def _test_expected_events(self, test_file, objects):
                     objects[k] = self.flatten_object(obj, {}, "")
                     clean_keys(objects[k])
                     for key in objects[k].keys():
-                        if isinstance(objects[k][key], list):
+                        if isinstance(objects[k][key], list) and key not in array_fields_dont_sort:
                             objects[k][key].sort(key=str)
 
                 json.dump(objects, f, indent=4, separators=(
@@ -247,56 +304,6 @@ def clean_keys(obj):
     other_keys = ["log.file.path", "agent.version"]
     # ECS versions change for any ECS release, large or small
     ecs_key = ["ecs.version"]
-    # datasets for which @timestamp is removed due to date missing
-    remove_timestamp = {
-        "activemq.audit",
-        "barracuda.spamfirewall",
-        "barracuda.waf",
-        "bluecoat.director",
-        "cef.log",
-        "cisco.asa",
-        "cisco.ios",
-        "citrix.netscaler",
-        "cylance.protect",
-        "f5.bigipafm",
-        "fortinet.clientendpoint",
-        "haproxy.log",
-        "icinga.startup",
-        "imperva.securesphere",
-        "infoblox.nios",
-        "iptables.log",
-        "juniper.junos",
-        "juniper.netscreen",
-        "netscout.sightline",
-        "proofpoint.emailsecurity",
-        "redis.log",
-        "snort.log",
-        "symantec.endpointprotection",
-        "system.auth",
-        "system.syslog",
-        "crowdstrike.falcon_endpoint",
-        "crowdstrike.falcon_audit",
-        "zoom.webhook",
-        "threatintel.otx",
-        "threatintel.abuseurl",
-        "threatintel.abusemalware",
-        "threatintel.anomali",
-        "threatintel.anomalithreatstream",
-        "threatintel.malwarebazaar",
-        "threatintel.recordedfuture",
-        "snyk.vulnerabilities",
-        "snyk.audit",
-        "awsfargate.log",
-    }
-    # dataset + log file pairs for which @timestamp is kept as an exception from above
-    remove_timestamp_exception = {
-        ('system.syslog', 'tz-offset.log'),
-        ('system.auth', 'timestamp.log'),
-        ('cisco.asa', 'asa.log'),
-        ('cisco.asa', 'hostnames.log'),
-        ('cisco.asa', 'not-ip.log'),
-        ('cisco.asa', 'sample.log')
-    }
 
     # Keep source log filename for exceptions
     filename = None