elastic · cwurm · Feb 5, 2019 · Jan 31, 2019 · Jan 31, 2019 · Jan 31, 2019
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -38,6 +38,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Change data type of `file.uid` and `file.gid` to string in JSON output of the
   FIM module. {pull}10195[10195]
 - Field `file.origin` changed type from `text` to `keyword`. {pull}10544[10544]
+- Rename user fields to ECS in auditd module. {pull}10456[10456]
 
 *Filebeat*
 

diff --git a/auditbeat/_meta/fields.common.yml b/auditbeat/_meta/fields.common.yml
@@ -55,20 +55,58 @@
     description: User information.
     fields:
 
+    - name: audit
+      type: group
+      description: Audit user information.
+      fields:
+      - name: id
+        type: keyword
+        description: Audit user ID.
+      - name: name
+        type: keyword
+        description: Audit user name.
+
     - name: effective
       type: group
       description: Effective user information.
       fields:
       - name: id
         type: keyword
         description: Effective user ID.
+      - name: name
+        type: keyword
+        description: Effective user name.
       - name: group
         type: group
         description: Effective group information.
         fields:
         - name: id
           type: keyword
           description: Effective group ID.
+        - name: name
+          type: keyword
+          description: Effective group name.
+
+    - name: filesystem
+      type: group
+      description: Filesystem user information.
+      fields:
+      - name: id
+        type: keyword
+        description: Filesystem user ID.
+      - name: name
+        type: keyword
+        description: Filesystem user name.
+      - name: group
+        type: group
+        description: Filesystem group information.
+        fields:
+        - name: id
+          type: keyword
+          description: Filesystem group ID.
+        - name: name
+          type: keyword
+          description: Filesystem group name.
 
     - name: saved
       type: group
@@ -77,10 +115,16 @@
       - name: id
         type: keyword
         description: Saved user ID.
+      - name: name
+        type: keyword
+        description: Saved user name.
       - name: group
         type: group
         description: Saved group information.
         fields:
         - name: id
           type: keyword
           description: Saved group ID.
+        - name: name
+          type: keyword
+          description: Saved group name.
diff --git a/auditbeat/docs/breaking.asciidoc b/auditbeat/docs/breaking.asciidoc
@@ -9,6 +9,24 @@ In version 7.0 the following fields were renamed.
 |Old Field|New Field
 |`process.cwd`            |`process.working_directory`
 |`source.hostname`        |`source.domain`
+|`user.auid`              |`user.audit.id`
+|`user.uid`               |`user.id`
+|`user.euid`              |`user.effective.id`
+|`user.fsuid`             |`user.filesystem.id`
+|`user.suid`              |`user.saved.id`
+|`user.gid`               |`user.group.id`
+|`user.egid`              |`user.effective.group.id`
+|`user.sgid`              |`user.saved.group.id`
+|`user.fsgid`             |`user.filesystem.group.id`
+|`user.name_map.auid`     |`user.audit.name`
+|`user.name_map.uid`      |`user.name`
+|`user.name_map.euid`     |`user.effective.name`
+|`user.name_map.fsuid`    |`user.filesystem.name`
+|`user.name_map.suid`     |`user.saved.name`
+|`user.name_map.gid`      |`user.group.name`
+|`user.name_map.egid`     |`user.effective.group.name`
+|`user.name_map.sgid`     |`user.saved.group.name`
+|`user.name_map.fsgid`    |`user.filesystem.group.name`
 |======================
 
 The JSON data types produced by the output have been changed to align with
@@ -148,4 +166,3 @@ moved under the `file` namespace.]
 |`audit.file.hash`         |`hash`
 |`audit.file`              |`file`
 |======================
-