Move hash config to reference yml.

x-pack/auditbeat/auditbeat.reference.yml

@@ -135,15 +135,6 @@ auditbeat.modules:
   # socket.state.period: 12h
   # user.state.period: 12h
 
-  # Disabled by default. If enabled, the socket dataset will
-  # report sockets to and from localhost.
-  # socket.include_localhost: false
-
-  # Enabled by default. Auditbeat will read password fields in
-  # /etc/passwd and /etc/shadow and store a hash locally to
-  # detect any changes.
-  user.detect_password_changes: true
-
   # Average file read rate for hashing of the process executable. Default is "50 MiB".
   process.hash.scan_rate_per_sec: 50 MiB
 
@@ -156,6 +147,15 @@ auditbeat.modules:
   # Default is sha1.
   process.hash.hash_types: [sha1]
 
+  # Disabled by default. If enabled, the socket dataset will
+  # report sockets to and from localhost.
+  # socket.include_localhost: false
+
+  # Enabled by default. Auditbeat will read password fields in
+  # /etc/passwd and /etc/shadow and store a hash locally to
+  # detect any changes.
+  user.detect_password_changes: true
+
   # File patterns of the login record files.
   # wtmp: History of successful logins, logouts, and system shutdowns and boots.
   # btmp: Failed login attempts.

x-pack/auditbeat/auditbeat.yml

@@ -66,18 +66,6 @@ auditbeat.modules:
   # detect any changes.
   user.detect_password_changes: true
 
-  # Average file read rate for hashing of the process executable. Default is "50 MiB".
-  process.hash.scan_rate_per_sec: 50 MiB
-
-  # Limit on the size of the process executable that will be hashed. Default is "100 MiB".
-  process.hash.max_file_size: 100 MiB
-
-  # Hash types to compute of the process executable. Supported types are
-  # blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384,
-  # sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, and xxh64.
-  # Default is sha1.
-  process.hash.hash_types: [sha1]
-
   # File patterns of the login record files.
   login.wtmp_file_pattern: /var/log/wtmp*
   login.btmp_file_pattern: /var/log/btmp*

x-pack/auditbeat/module/system/_meta/config.yml.tmpl

@@ -35,7 +35,19 @@
   {{ if eq .GOOS "linux" -}}
   # socket.state.period: 12h
   # user.state.period: 12h
-  {{- end -}}
+  {{- end }}
+
+  # Average file read rate for hashing of the process executable. Default is "50 MiB".
+  process.hash.scan_rate_per_sec: 50 MiB
+
+  # Limit on the size of the process executable that will be hashed. Default is "100 MiB".
+  process.hash.max_file_size: 100 MiB
+
+  # Hash types to compute of the process executable. Supported types are
+  # blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384,
+  # sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, and xxh64.
+  # Default is sha1.
+  process.hash.hash_types: [sha1]
 {{- end -}}
 {{- if eq .GOOS "linux" -}}
 
@@ -51,19 +63,6 @@
   # detect any changes.
   user.detect_password_changes: true
 
-  # Average file read rate for hashing of the process executable. Default is "50 MiB".
-  process.hash.scan_rate_per_sec: 50 MiB
-
-  # Limit on the size of the process executable that will be hashed. Default is "100 MiB".
-  process.hash.max_file_size: 100 MiB
-
-  # Hash types to compute of the process executable. Supported types are
-  # blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384,
-  # sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, and xxh64.
-  # Default is sha1.
-  process.hash.hash_types: [sha1]
-
-  {{ if eq .GOOS "linux" -}}
   # File patterns of the login record files.
 {{- if .Reference }}
   # wtmp: History of successful logins, logouts, and system shutdowns and boots.