elastic · cwurm · Dec 14, 2018 · Dec 11, 2018 · Dec 12, 2018 · Dec 12, 2018
diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -21,6 +21,7 @@ grouped in the following categories:
 * <<exported-fields-file_integrity>>
 * <<exported-fields-host-processor>>
 * <<exported-fields-kubernetes-processor>>
+* <<exported-fields-system>>
 
 --
 [[exported-fields-auditd]]
@@ -4956,3 +4957,284 @@ Kubernetes container image
 
 --
 
+[[exported-fields-system]]
+== System fields
+
+These are the fields generated by the system module.
+
+
+
+[float]
+== system.audit fields
+
+
+
+
+[float]
+== host fields
+
+`host` contains general host information.
+
+
+
+*`system.audit.host.uptime`*::
++
+--
+type: long
+
+Uptime in nanoseconds.
+
+
+--
+
+*`system.audit.host.boottime`*::
++
+--
+type: date
+
+Boot time.
+
+
+--
+
+*`system.audit.host.containerized`*::
++
+--
+type: boolean
+
+Set if host is a container.
+
+
+--
+
+*`system.audit.host.timezone.name`*::
++
+--
+type: keyword
+
+Name of the timezone of the host, e.g. BST.
+
+
+--
+
+*`system.audit.host.timezone.offset.sec`*::
++
+--
+type: long
+
+Timezone offset in seconds.
+
+
+--
+
+*`system.audit.host.hostname`*::
++
+--
+type: keyword
+
+Hostname.
+
+
+--
+
+*`system.audit.host.id`*::
++
+--
+type: keyword
+
+Host ID.
+
+
+--
+
+*`system.audit.host.architecture`*::
++
+--
+type: keyword
+
+Host architecture (e.g. x86_64).
+
+
+--
+
+*`system.audit.host.mac`*::
++
+--
+type: keyword
+
+MAC addresses.
+
+
+--
+
+*`system.audit.host.ip`*::
++
+--
+type: ip
+
+IP addresses.
+
+
+--
+
+[float]
+== os fields
+
+`os` contains information about the operating system.
+
+
+
+*`system.audit.host.os.platform`*::
++
+--
+type: keyword
+
+OS platform (e.g. centos, ubuntu, windows).
+
+
+--
+
+*`system.audit.host.os.name`*::
++
+--
+type: keyword
+
+OS name (e.g. Mac OS X).
+
+
+--
+
+*`system.audit.host.os.family`*::
++
+--
+type: keyword
+
+OS family (e.g. redhat, debian, freebsd, windows).
+
+
+--
+
+*`system.audit.host.os.version`*::
++
+--
+type: keyword
+
+OS version.
+
+
+--
+
+*`system.audit.host.os.kernel`*::
++
+--
+type: keyword
+
+The operating system's kernel version.
+
+
+--
+
+[float]
+== user fields
+
+`user` contains information about the users on a system.
+
+
+
+*`system.audit.user.name`*::
++
+--
+type: keyword
+
+User name.
+
+
+--
+
+*`system.audit.user.uid`*::
++
+--
+type: integer
+
+User ID.
+
+
+--
+
+*`system.audit.user.gid`*::
++
+--
+type: integer
+
+Group ID.
+
+
+--
+
+*`system.audit.user.dir`*::
++
+--
+type: keyword
+
+User's home directory.
+
+
+--
+
+*`system.audit.user.shell`*::
++
+--
+type: keyword
+
+Program to run at login.
+
+
+--
+
+*`system.audit.user.user_information`*::
++
+--
+type: text
+
+General user information. On Linux, this is the gecos field.
+
+
+--
+
+*`system.audit.user.group`*::
++
+--
+type: object
+
+`group` contains information about any groups the user is part of (beyond the user's primary group).
+
+
+--
+
+[float]
+== password fields
+
+`password` contains information about a user's password (not the password itself).
+
+
+
+*`system.audit.user.password.type`*::
++
+--
+type: keyword
+
+A user's password type. Possible values are `shadow_password` (the password hash is in the shadow file), `password_disabled`, `no_password` (this is dangerous as anyone can log in), and `crypt_password` (when the password field in /etc/passwd seems to contain an encrypted password).
+
+
+--
+
+*`system.audit.user.password.last_changed`*::
++
+--
+type: date
+
+The day the user's password was last changed.
+
+
+--
+
diff --git a/auditbeat/docs/modules_list.asciidoc b/auditbeat/docs/modules_list.asciidoc
@@ -4,9 +4,11 @@ This file is generated! See scripts/docs_collector.py
 
   * <<{beatname_lc}-module-auditd,Auditd>>
   * <<{beatname_lc}-module-file_integrity,File Integrity>>
+  * <<{beatname_lc}-module-system,System>>
 
 
 --
 
-include::modules/auditd.asciidoc[]
-include::modules/file_integrity.asciidoc[]
+include::./modules/auditd.asciidoc[]
+include::./modules/file_integrity.asciidoc[]
+include::../../x-pack/auditbeat/docs/modules/system.asciidoc[]
diff --git a/auditbeat/magefile.go b/auditbeat/magefile.go
@@ -121,8 +121,23 @@ func Config() error {
 // Update is an alias for running fields, dashboards, config, includes.
 func Update() {
 	mg.SerialDeps(Fields, Dashboards, Config,
-		mage.GenerateModuleIncludeListGo,
-		auditbeat.CollectDocs)
+		mage.GenerateModuleIncludeListGo, Docs)
+}
+
+// Docs collects the documentation.
+func Docs() {
+	mg.SerialDeps(xpackFields, combinedDocs)
+}
+
+// combinedDocs builds combined documentation for both OSS and X-Pack.
+func combinedDocs() error {
+	return auditbeat.CollectDocs(mage.OSSBeatDir(), auditbeat.XpackBeatDir())
+}
+
+// xpackFields creates x-pack/auditbeat/fields.yml - necessary to build
+// a combined documentation.
+func xpackFields() error {
+	return mage.Mage(auditbeat.XpackBeatDir(), "fields")
 }
 
 // Fmt formats source code and adds file headers.