From aebcf9c181bf17721c224e3e29f742689f27111f Mon Sep 17 00:00:00 2001
From: Christoph Wurm <cw@elastic.co>
Date: Mon, 17 Dec 2018 17:50:24 +0000
Subject: [PATCH] [Auditbeat] Add system module (#9546)

Adds the system module to Auditbeat, with four metricsets: host, process, socket, and user. A fifth metricset - packages - is disabled for now.

Host collects general host information, e.g. boottime, timezone, OS, network interfaces. Processes collects information about currently running, started, and stopped processes. Socket collects information about open sockets. User detects new users, deleted users, changes to users (e.g. groups), and - as a special distinct category - password changes.
---
 .travis.yml                                   |    4 +
 CHANGELOG.asciidoc                            |    2 +
 Makefile                                      |   10 +-
 Vagrantfile                                   |    5 +-
 auditbeat/Dockerfile                          |   21 +-
 auditbeat/Makefile                            |   32 +-
 auditbeat/auditbeat.yml                       |    1 -
 auditbeat/core/eventmod.go                    |    6 +
 auditbeat/docker-compose.yml                  |    6 +-
 auditbeat/docs/fields.asciidoc                |  282 ++++
 auditbeat/docs/modules/auditd.asciidoc        |    1 +
 auditbeat/docs/modules_list.asciidoc          |    4 +-
 auditbeat/include/list.go                     |    5 +-
 auditbeat/magefile.go                         |  249 ++--
 auditbeat/module/auditd/_meta/config.yml.tmpl |    2 +-
 .../file_integrity/_meta/config.yml.tmpl      |    2 +-
 auditbeat/scripts/docs_collector.py           |   71 +-
 auditbeat/scripts/generate_config.go          |  141 --
 auditbeat/scripts/mage/config.go              |  105 ++
 auditbeat/scripts/mage/docs.go                |  101 ++
 auditbeat/scripts/mage/package.go             |  114 ++
 auditbeat/tests/system/auditbeat.py           |    7 +-
 auditbeat/tests/system/test_base.py           |    2 +-
 .../module_include_list.go                    |    2 +-
 dev-tools/mage/common.go                      |   11 +
 dev-tools/mage/crossbuild.go                  |   26 +-
 dev-tools/mage/fields.go                      |   42 +-
 dev-tools/mage/fmt.go                         |    8 +-
 dev-tools/mage/integtest.go                   |    9 +
 dev-tools/mage/kibana.go                      |   32 +
 dev-tools/mage/pkgspecs.go                    |   38 +-
 dev-tools/mage/pkgtypes.go                    |   13 +-
 dev-tools/mage/pytest.go                      |    6 +-
 dev-tools/make/xpack.mk                       |    9 +-
 dev-tools/packaging/packages.yml              |   59 +-
 libbeat/common/file/fileinfo.go               |    6 +
 libbeat/common/file/fileinfo_unix.go          |    4 +
 libbeat/common/file/fileinfo_windows.go       |    4 +
 libbeat/generator/fields/fields.go            |   34 +-
 .../fields/module_fields_collector.go         |   26 +-
 libbeat/scripts/Makefile                      |    9 +-
 libbeat/scripts/generate_fields_docs.py       |    8 +-
 libbeat/tests/system/beat/beat.py             |   17 +-
 libbeat/tests/system/test_base.py             |    7 +-
 .../system => helper}/socket/listeners.go     |    0
 .../socket/listeners_test.go                  |    0
 metricbeat/helper/socket/netlink.go           |   54 +
 .../system => helper}/socket/ptable.go        |    0
 metricbeat/module/system/socket/socket.go     |   28 +-
 metricbeat/tests/system/metricbeat.py         |    8 +-
 x-pack/auditbeat/.gitignore                   |    4 +
 x-pack/auditbeat/Makefile                     |    3 +
 x-pack/auditbeat/auditbeat.docker.yml         |   21 +
 x-pack/auditbeat/auditbeat.reference.yml      | 1278 +++++++++++++++++
 x-pack/auditbeat/auditbeat.yml                |  195 +++
 x-pack/auditbeat/cache/cache.go               |   59 +
 x-pack/auditbeat/cache/cache_test.go          |   55 +
 x-pack/auditbeat/cmd/root.go                  |    5 +-
 x-pack/auditbeat/docker-compose.yml           |   13 +
 x-pack/auditbeat/docs/modules/system.asciidoc |  148 ++
 .../docs/modules/system/host.asciidoc         |   21 +
 .../docs/modules/system/process.asciidoc      |   21 +
 .../docs/modules/system/socket.asciidoc       |   21 +
 .../docs/modules/system/user.asciidoc         |   21 +
 x-pack/auditbeat/include/fields.go            |   22 +
 x-pack/auditbeat/include/list.go              |   16 +
 x-pack/auditbeat/magefile.go                  |  173 +++
 x-pack/auditbeat/main_test.go                 |   30 +
 .../module/system/_meta/config.yml.tmpl       |   41 +
 .../module/system/_meta/docs.asciidoc         |   92 ++
 .../auditbeat/module/system/_meta/fields.yml  |   10 +
 .../module/system/host/_meta/data.json        |   54 +
 .../module/system/host/_meta/docs.asciidoc    |    7 +
 .../module/system/host/_meta/fields.yml       |   71 +
 x-pack/auditbeat/module/system/host/config.go |   28 +
 x-pack/auditbeat/module/system/host/host.go   |  469 ++++++
 .../auditbeat/module/system/host/host_test.go |   32 +
 .../module/system/packages/_meta/data.json    |   30 +
 .../packages/_meta/docs.asciidoc.disabled     |    8 +
 .../system/packages/_meta/fields.yml.disabled |   50 +
 .../module/system/packages/config.go          |   19 +
 .../module/system/packages/packages.go        |  338 +++++
 .../module/system/packages/packages_test.go   |   28 +
 .../module/system/process/_meta/data.json     |   29 +
 .../module/system/process/_meta/docs.asciidoc |    7 +
 .../auditbeat/module/system/process/config.go |   31 +
 .../module/system/process/process.go          |  326 +++++
 .../module/system/process/process_test.go     |   37 +
 .../module/system/socket/_meta/data.json      |   38 +
 .../module/system/socket/_meta/docs.asciidoc  |    7 +
 .../auditbeat/module/system/socket/config.go  |   31 +
 .../auditbeat/module/system/socket/socket.go  |  414 ++++++
 .../module/system/socket/socket_other.go      |   29 +
 .../module/system/socket/socket_test.go       |  125 ++
 .../module/system/user/_meta/data.json        |   48 +
 .../module/system/user/_meta/docs.asciidoc    |    7 +
 .../module/system/user/_meta/fields.yml       |   60 +
 x-pack/auditbeat/module/system/user/config.go |   30 +
 x-pack/auditbeat/module/system/user/user.go   |  534 +++++++
 .../auditbeat/module/system/user/user_test.go |   38 +
 .../module/system/user/users_linux.go         |  225 +++
 .../module/system/user/users_other.go         |   29 +
 .../auditbeat/tests/system/auditbeat_xpack.py |   55 +
 .../auditbeat/tests/system/test_metricsets.py |   92 ++
 x-pack/filebeat/include/list.go               |    2 +-
 x-pack/filebeat/magefile.go                   |    2 +-
 x-pack/functionbeat/magefile.go               |    2 +-
 x-pack/metricbeat/include/list.go             |    2 +-
 x-pack/metricbeat/magefile.go                 |    2 +-
 109 files changed, 6671 insertions(+), 547 deletions(-)
 delete mode 100644 auditbeat/scripts/generate_config.go
 create mode 100644 auditbeat/scripts/mage/config.go
 create mode 100644 auditbeat/scripts/mage/docs.go
 create mode 100644 auditbeat/scripts/mage/package.go
 rename metricbeat/{module/system => helper}/socket/listeners.go (100%)
 rename metricbeat/{module/system => helper}/socket/listeners_test.go (100%)
 create mode 100644 metricbeat/helper/socket/netlink.go
 rename metricbeat/{module/system => helper}/socket/ptable.go (100%)
 create mode 100644 x-pack/auditbeat/.gitignore
 create mode 100644 x-pack/auditbeat/Makefile
 create mode 100644 x-pack/auditbeat/auditbeat.docker.yml
 create mode 100644 x-pack/auditbeat/auditbeat.reference.yml
 create mode 100644 x-pack/auditbeat/auditbeat.yml
 create mode 100644 x-pack/auditbeat/cache/cache.go
 create mode 100644 x-pack/auditbeat/cache/cache_test.go
 create mode 100644 x-pack/auditbeat/docker-compose.yml
 create mode 100644 x-pack/auditbeat/docs/modules/system.asciidoc
 create mode 100644 x-pack/auditbeat/docs/modules/system/host.asciidoc
 create mode 100644 x-pack/auditbeat/docs/modules/system/process.asciidoc
 create mode 100644 x-pack/auditbeat/docs/modules/system/socket.asciidoc
 create mode 100644 x-pack/auditbeat/docs/modules/system/user.asciidoc
 create mode 100644 x-pack/auditbeat/include/fields.go
 create mode 100644 x-pack/auditbeat/include/list.go
 create mode 100644 x-pack/auditbeat/magefile.go
 create mode 100644 x-pack/auditbeat/main_test.go
 create mode 100644 x-pack/auditbeat/module/system/_meta/config.yml.tmpl
 create mode 100644 x-pack/auditbeat/module/system/_meta/docs.asciidoc
 create mode 100644 x-pack/auditbeat/module/system/_meta/fields.yml
 create mode 100644 x-pack/auditbeat/module/system/host/_meta/data.json
 create mode 100644 x-pack/auditbeat/module/system/host/_meta/docs.asciidoc
 create mode 100644 x-pack/auditbeat/module/system/host/_meta/fields.yml
 create mode 100644 x-pack/auditbeat/module/system/host/config.go
 create mode 100644 x-pack/auditbeat/module/system/host/host.go
 create mode 100644 x-pack/auditbeat/module/system/host/host_test.go
 create mode 100644 x-pack/auditbeat/module/system/packages/_meta/data.json
 create mode 100644 x-pack/auditbeat/module/system/packages/_meta/docs.asciidoc.disabled
 create mode 100644 x-pack/auditbeat/module/system/packages/_meta/fields.yml.disabled
 create mode 100644 x-pack/auditbeat/module/system/packages/config.go
 create mode 100644 x-pack/auditbeat/module/system/packages/packages.go
 create mode 100644 x-pack/auditbeat/module/system/packages/packages_test.go
 create mode 100644 x-pack/auditbeat/module/system/process/_meta/data.json
 create mode 100644 x-pack/auditbeat/module/system/process/_meta/docs.asciidoc
 create mode 100644 x-pack/auditbeat/module/system/process/config.go
 create mode 100644 x-pack/auditbeat/module/system/process/process.go
 create mode 100644 x-pack/auditbeat/module/system/process/process_test.go
 create mode 100644 x-pack/auditbeat/module/system/socket/_meta/data.json
 create mode 100644 x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc
 create mode 100644 x-pack/auditbeat/module/system/socket/config.go
 create mode 100644 x-pack/auditbeat/module/system/socket/socket.go
 create mode 100644 x-pack/auditbeat/module/system/socket/socket_other.go
 create mode 100644 x-pack/auditbeat/module/system/socket/socket_test.go
 create mode 100644 x-pack/auditbeat/module/system/user/_meta/data.json
 create mode 100644 x-pack/auditbeat/module/system/user/_meta/docs.asciidoc
 create mode 100644 x-pack/auditbeat/module/system/user/_meta/fields.yml
 create mode 100644 x-pack/auditbeat/module/system/user/config.go
 create mode 100644 x-pack/auditbeat/module/system/user/user.go
 create mode 100644 x-pack/auditbeat/module/system/user/user_test.go
 create mode 100644 x-pack/auditbeat/module/system/user/users_linux.go
 create mode 100644 x-pack/auditbeat/module/system/user/users_other.go
 create mode 100644 x-pack/auditbeat/tests/system/auditbeat_xpack.py
 create mode 100644 x-pack/auditbeat/tests/system/test_metricsets.py

diff --git a/.travis.yml b/.travis.yml
index 60282e2c955e..7ea410b0bfe6 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -62,6 +62,10 @@ jobs:
       env: TARGETS="-C auditbeat crosscompile"
       go: $GO_VERSION
       stage: test
+    - os: linux
+      env: TARGETS="-C x-pack/auditbeat testsuite"
+      go: $GO_VERSION
+      stage: test
 
     # Libbeat
     - os: linux
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 62790272e476..11e8a3ac5290 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -97,6 +97,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha1...master[Check the HEAD d
 
 *Auditbeat*
 
+- Add system module. {pull}9546[9546]
+
 *Filebeat*
 
 - Added `detect_null_bytes` selector to detect null bytes from a io.reader. {pull}9210[9210]
diff --git a/Makefile b/Makefile
index 20af5832d580..ce6953c2c4d5 100644
--- a/Makefile
+++ b/Makefile
@@ -13,11 +13,15 @@ REVIEWDOG_OPTIONS?=-diff "git diff master"
 REVIEWDOG_REPO=github.com/haya14busa/reviewdog/cmd/reviewdog
 XPACK_SUFFIX=x-pack/
 
+# PROJECTS_XPACK_PKG is a list of Beats that have independent packaging support
+# in the x-pack directory (rather than having the OSS build produce both sets
+# of artifacts). This will be removed once we complete the transition.
+PROJECTS_XPACK_PKG=x-pack/auditbeat
 # PROJECTS_XPACK_MAGE is a list of Beats whose primary build logic is based in
 # Mage. For compatibility with CI testing these projects support a subset of the
 # makefile targets. After all Beats converge to primarily using Mage we can
 # remove this and treat all sub-projects the same.
-PROJECTS_XPACK_MAGE=x-pack/filebeat x-pack/metricbeat
+PROJECTS_XPACK_MAGE=x-pack/filebeat x-pack/metricbeat $(PROJECTS_XPACK_PKG)
 
 # Runs complete testsuites (unit, system, integration) for all beats with coverage and race detection.
 # Also it builds the docs and the generators
@@ -156,8 +160,8 @@ snapshot:
 # Builds a release.
 .PHONY: release
 release: beats-dashboards
-	@$(foreach var,$(BEATS),$(MAKE) -C $(var) release || exit 1;)
-	@$(foreach var,$(BEATS), \
+	@$(foreach var,$(BEATS) $(PROJECTS_XPACK_PKG),$(MAKE) -C $(var) release || exit 1;)
+	@$(foreach var,$(BEATS) $(PROJECTS_XPACK_PKG), \
       test -d $(var)/build/distributions && test -n "$$(ls $(var)/build/distributions)" || exit 0; \
       mkdir -p build/distributions/$(subst $(XPACK_SUFFIX),'',$(var)) && mv -f $(var)/build/distributions/* build/distributions/$(subst $(XPACK_SUFFIX),'',$(var))/ || exit 1;)
 
diff --git a/Vagrantfile b/Vagrantfile
index 310e5e097596..b795898812db 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -37,7 +37,7 @@ cmd /c mklink /d C:\\Gopath\\src\\github.com\\elastic\\beats \\\\vboxsvr\\vagran
 
 echo "Installing gvm to manage go version"
 [Net.ServicePointManager]::SecurityProtocol = "tls12"
-Invoke-WebRequest -URI https://github.com/andrewkroh/gvm/releases/download/v0.0.5/gvm-windows-amd64.exe -Outfile C:\Windows\System32\gvm.exe
+Invoke-WebRequest -URI https://github.com/andrewkroh/gvm/releases/download/v0.1.0/gvm-windows-amd64.exe -Outfile C:\Windows\System32\gvm.exe
 C:\Windows\System32\gvm.exe --format=powershell #{GO_VERSION} | Invoke-Expression
 go version
 
@@ -72,8 +72,9 @@ SCRIPT
 $linuxGvmProvision = <<SCRIPT
 mkdir -p ~/bin
 if [ ! -e "~/bin/gvm" ]; then
-  curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.0.5/gvm-linux-amd64
+  curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.1.0/gvm-linux-amd64
   chmod +x ~/bin/gvm
+  ~/bin/gvm $GO_VERSION
   echo 'export GOPATH=$HOME/go' >> ~/.bash_profile
   echo 'export PATH=$HOME/bin:$GOPATH/bin:$PATH' >> ~/.bash_profile
   echo 'eval "$(gvm #{GO_VERSION})"' >> ~/.bash_profile
diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile
index 801ffe52c1b6..77694510be9b 100644
--- a/auditbeat/Dockerfile
+++ b/auditbeat/Dockerfile
@@ -1,17 +1,12 @@
 FROM golang:1.11.3
-MAINTAINER Nicolas Ruflin <ruflin@elastic.co>
 
-RUN set -x && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-         netcat python-pip virtualenv && \
-    apt-get clean
+RUN \
+    apt-get update \
+      && apt-get install -y --no-install-recommends \
+         python-pip \
+         virtualenv \
+      && rm -rf /var/lib/apt/lists/*
 
+RUN pip install --upgrade pip
 RUN pip install --upgrade setuptools
-
-# Setup work environment
-ENV AUDITBEAT_PATH /go/src/github.com/elastic/beats/auditbeat
-
-RUN mkdir -p $AUDITBEAT_PATH/build/coverage
-WORKDIR $AUDITBEAT_PATH
-HEALTHCHECK CMD exit 0
+RUN pip install --upgrade docker-compose==1.21.0
diff --git a/auditbeat/Makefile b/auditbeat/Makefile
index b669a6d5b8b3..7752497b0da4 100644
--- a/auditbeat/Makefile
+++ b/auditbeat/Makefile
@@ -3,36 +3,12 @@ BEAT_TITLE=Auditbeat
 SYSTEM_TESTS=true
 TEST_ENVIRONMENT?=true
 GOX_OS?=linux windows ## @Building List of all OS to be supported by "make crosscompile".
-DEV_OS?=linux
 ES_BEATS?=..
+EXCLUDE_COMMON_UPDATE_TARGET=true
 
 # Path to the libbeat Makefile
 include ${ES_BEATS}/libbeat/scripts/Makefile
 
-# Collects all dependencies and then calls update
-.PHONY: collect
-collect: collect-docs configs kibana
-
-# Collects all module configs
-.PHONY: configs
-configs: python-env
-	@cat ${ES_BEATS}/auditbeat/_meta/common.p1.yml \
-		<(go run scripts/generate_config.go -os ${DEV_OS} -concat) \
-		${ES_BEATS}/auditbeat/_meta/common.p2.yml > _meta/beat.yml
-	@cat ${ES_BEATS}/auditbeat/_meta/common.reference.yml \
-		<(go run scripts/generate_config.go -os ${DEV_OS} -ref -concat) > _meta/beat.reference.yml
-
-# Collects all module docs
-.PHONY: collect-docs
-collect-docs: python-env
-	@rm -rf docs/modules
-	@mkdir -p docs/modules
-	@go run scripts/generate_config.go -os linux
-	@${PYTHON_ENV}/bin/python ${ES_BEATS}/auditbeat/scripts/docs_collector.py --beat ${BEAT_NAME}
-
-# Collects all module dashboards
-.PHONY: kibana
-kibana:
-	@-rm -rf _meta/kibana.generated
-	@mkdir -p _meta/kibana.generated
-	@-cp -pr module/*/_meta/kibana/* _meta/kibana.generated
+.PHONY: update
+update: mage
+	mage update
diff --git a/auditbeat/auditbeat.yml b/auditbeat/auditbeat.yml
index 79a1b1cb9028..ad966d38c65a 100644
--- a/auditbeat/auditbeat.yml
+++ b/auditbeat/auditbeat.yml
@@ -48,7 +48,6 @@ auditbeat.modules:
   - /etc
 
 
-
 #==================== Elasticsearch template setting ==========================
 setup.template.settings:
   index.number_of_shards: 3
diff --git a/auditbeat/core/eventmod.go b/auditbeat/core/eventmod.go
index 0dd2f5a74c84..3dfe57d82d35 100644
--- a/auditbeat/core/eventmod.go
+++ b/auditbeat/core/eventmod.go
@@ -30,4 +30,10 @@ func AddDatasetToEvent(module, metricSet string, event *mb.Event) {
 	}
 
 	event.RootFields.Put("event.module", module)
+
+	// Modules without "datasets" should set their module and metricset names
+	// to the same value then this will omit the event.dataset field.
+	if module != metricSet {
+		event.RootFields.Put("event.dataset", metricSet)
+	}
 }
diff --git a/auditbeat/docker-compose.yml b/auditbeat/docker-compose.yml
index 9b7fafde3316..f9fca6988251 100644
--- a/auditbeat/docker-compose.yml
+++ b/auditbeat/docker-compose.yml
@@ -4,10 +4,12 @@ services:
     build: ${PWD}/.
     depends_on:
       - proxy_dep
-    env_file:
-      - ${PWD}/build/test.env
     working_dir: /go/src/github.com/elastic/beats/auditbeat
     environment:
+      - ES_HOST=elasticsearch
+      - ES_PORT=9200
+      - ES_USER=beats
+      - ES_PASS=testing
       - KIBANA_HOST=kibana
       - KIBANA_PORT=5601
     volumes:
diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
index 5d1dc03a42e0..9dfbd37aa9c6 100644
--- a/auditbeat/docs/fields.asciidoc
+++ b/auditbeat/docs/fields.asciidoc
@@ -21,6 +21,7 @@ grouped in the following categories:
 * <<exported-fields-file_integrity>>
 * <<exported-fields-host-processor>>
 * <<exported-fields-kubernetes-processor>>
+* <<exported-fields-system>>
 
 --
 [[exported-fields-auditd]]
@@ -5928,3 +5929,284 @@ Kubernetes container image
 
 --
 
+[[exported-fields-system]]
+== System fields
+
+These are the fields generated by the system module.
+
+
+
+[float]
+== system.audit fields
+
+
+
+
+[float]
+== host fields
+
+`host` contains general host information.
+
+
+
+*`system.audit.host.uptime`*::
++
+--
+type: long
+
+Uptime in nanoseconds.
+
+
+--
+
+*`system.audit.host.boottime`*::
++
+--
+type: date
+
+Boot time.
+
+
+--
+
+*`system.audit.host.containerized`*::
++
+--
+type: boolean
+
+Set if host is a container.
+
+
+--
+
+*`system.audit.host.timezone.name`*::
++
+--
+type: keyword
+
+Name of the timezone of the host, e.g. BST.
+
+
+--
+
+*`system.audit.host.timezone.offset.sec`*::
++
+--
+type: long
+
+Timezone offset in seconds.
+
+
+--
+
+*`system.audit.host.hostname`*::
++
+--
+type: keyword
+
+Hostname.
+
+
+--
+
+*`system.audit.host.id`*::
++
+--
+type: keyword
+
+Host ID.
+
+
+--
+
+*`system.audit.host.architecture`*::
++
+--
+type: keyword
+
+Host architecture (e.g. x86_64).
+
+
+--
+
+*`system.audit.host.mac`*::
++
+--
+type: keyword
+
+MAC addresses.
+
+
+--
+
+*`system.audit.host.ip`*::
++
+--
+type: ip
+
+IP addresses.
+
+
+--
+
+[float]
+== os fields
+
+`os` contains information about the operating system.
+
+
+
+*`system.audit.host.os.platform`*::
++
+--
+type: keyword
+
+OS platform (e.g. centos, ubuntu, windows).
+
+
+--
+
+*`system.audit.host.os.name`*::
++
+--
+type: keyword
+
+OS name (e.g. Mac OS X).
+
+
+--
+
+*`system.audit.host.os.family`*::
++
+--
+type: keyword
+
+OS family (e.g. redhat, debian, freebsd, windows).
+
+
+--
+
+*`system.audit.host.os.version`*::
++
+--
+type: keyword
+
+OS version.
+
+
+--
+
+*`system.audit.host.os.kernel`*::
++
+--
+type: keyword
+
+The operating system's kernel version.
+
+
+--
+
+[float]
+== user fields
+
+`user` contains information about the users on a system.
+
+
+
+*`system.audit.user.name`*::
++
+--
+type: keyword
+
+User name.
+
+
+--
+
+*`system.audit.user.uid`*::
++
+--
+type: integer
+
+User ID.
+
+
+--
+
+*`system.audit.user.gid`*::
++
+--
+type: integer
+
+Group ID.
+
+
+--
+
+*`system.audit.user.dir`*::
++
+--
+type: keyword
+
+User's home directory.
+
+
+--
+
+*`system.audit.user.shell`*::
++
+--
+type: keyword
+
+Program to run at login.
+
+
+--
+
+*`system.audit.user.user_information`*::
++
+--
+type: text
+
+General user information. On Linux, this is the gecos field.
+
+
+--
+
+*`system.audit.user.group`*::
++
+--
+type: object
+
+`group` contains information about any groups the user is part of (beyond the user's primary group).
+
+
+--
+
+[float]
+== password fields
+
+`password` contains information about a user's password (not the password itself).
+
+
+
+*`system.audit.user.password.type`*::
++
+--
+type: keyword
+
+A user's password type. Possible values are `shadow_password` (the password hash is in the shadow file), `password_disabled`, `no_password` (this is dangerous as anyone can log in), and `crypt_password` (when the password field in /etc/passwd seems to contain an encrypted password).
+
+
+--
+
+*`system.audit.user.password.last_changed`*::
++
+--
+type: date
+
+The day the user's password was last changed.
+
+
+--
+
diff --git a/auditbeat/docs/modules/auditd.asciidoc b/auditbeat/docs/modules/auditd.asciidoc
index 899b1180324e..86ecaf7a5223 100644
--- a/auditbeat/docs/modules/auditd.asciidoc
+++ b/auditbeat/docs/modules/auditd.asciidoc
@@ -297,5 +297,6 @@ auditbeat.modules:
     ## Unauthorized access attempts.
     #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
     #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+
 ----
 
diff --git a/auditbeat/docs/modules_list.asciidoc b/auditbeat/docs/modules_list.asciidoc
index 84c110b16c35..184457a796b9 100644
--- a/auditbeat/docs/modules_list.asciidoc
+++ b/auditbeat/docs/modules_list.asciidoc
@@ -8,5 +8,5 @@ This file is generated! See scripts/docs_collector.py
 
 --
 
-include::modules/auditd.asciidoc[]
-include::modules/file_integrity.asciidoc[]
+include::./modules/auditd.asciidoc[]
+include::./modules/file_integrity.asciidoc[]
diff --git a/auditbeat/include/list.go b/auditbeat/include/list.go
index 2abe97624cdc..9caf964de2ae 100644
--- a/auditbeat/include/list.go
+++ b/auditbeat/include/list.go
@@ -15,11 +15,12 @@
 // specific language governing permissions and limitations
 // under the License.
 
+// Code generated by beats/dev-tools/module_include_list/module_include_list.go - DO NOT EDIT.
+
 package include
 
 import (
-	// Include all Auditbeat modules so that they register their
-	// factories with the global registry.
+	// Import packages that need to register themselves.
 	_ "github.com/elastic/beats/auditbeat/module/auditd"
 	_ "github.com/elastic/beats/auditbeat/module/file_integrity"
 )
diff --git a/auditbeat/magefile.go b/auditbeat/magefile.go
index 8b6a0eedea1e..3effbe0a511b 100644
--- a/auditbeat/magefile.go
+++ b/auditbeat/magefile.go
@@ -22,13 +22,11 @@ package main
 import (
 	"context"
 	"fmt"
-	"regexp"
 	"time"
 
 	"github.com/magefile/mage/mg"
-	"github.com/magefile/mage/sh"
-	"github.com/pkg/errors"
 
+	auditbeat "github.com/elastic/beats/auditbeat/scripts/mage"
 	"github.com/elastic/beats/dev-tools/mage"
 )
 
@@ -36,6 +34,12 @@ func init() {
 	mage.BeatDescription = "Audit the activities of users and processes on your system."
 }
 
+// Aliases provides compatibility with CI while we transition all Beats
+// to having common testing targets.
+var Aliases = map[string]interface{}{
+	"goTestUnit": GoUnitTest, // dev-tools/jenkins_ci.ps1 uses this.
+}
+
 // Build builds the Beat binary.
 func Build() error {
 	return mage.Build(mage.DefaultBuildArgs())
@@ -57,11 +61,6 @@ func CrossBuild() error {
 	return mage.CrossBuild()
 }
 
-// CrossBuildXPack cross-builds the beat with XPack for all target platforms.
-func CrossBuildXPack() error {
-	return mage.CrossBuildXPack()
-}
-
 // CrossBuildGoDaemon cross-builds the go-daemon binary using Docker.
 func CrossBuildGoDaemon() error {
 	return mage.CrossBuildGoDaemon()
@@ -80,11 +79,12 @@ func Package() {
 	start := time.Now()
 	defer func() { fmt.Println("package ran for", time.Since(start)) }()
 
-	mage.UseElasticBeatPackaging()
-	customizePackaging()
+	mage.UseElasticBeatOSSPackaging()
+	mage.PackageKibanaDashboardsFromBuildDir()
+	auditbeat.CustomizePackaging()
 
-	mg.Deps(Update)
-	mg.Deps(makeConfigTemplates, CrossBuild, CrossBuildXPack, CrossBuildGoDaemon)
+	mg.SerialDeps(Fields, Dashboards, Config, mage.GenerateModuleIncludeListGo)
+	mg.Deps(CrossBuild, CrossBuildGoDaemon)
 	mg.SerialDeps(mage.Package, TestPackages)
 }
 
@@ -93,191 +93,104 @@ func TestPackages() error {
 	return mage.TestPackages()
 }
 
-// Update updates the generated files (aka make update).
-func Update() error {
-	return sh.Run("make", "update")
-}
-
 // Fields generates a fields.yml for the Beat.
 func Fields() error {
 	return mage.GenerateFieldsYAML("module")
 }
 
-// ExportDashboard exports a dashboard and writes it into the correct directory
+// ExportDashboard exports a dashboard and writes it into the correct directory.
 //
-// Required ENV variables:
-// * MODULE: Name of the module
-// * ID: Dashboard id
+// Required environment variables:
+// - MODULE: Name of the module
+// - ID:     Dashboard id
 func ExportDashboard() error {
 	return mage.ExportDashboard()
 }
 
-// GoTestUnit executes the Go unit tests.
-// Use TEST_COVERAGE=true to enable code coverage profiling.
-// Use RACE_DETECTOR=true to enable the race detector.
-func GoTestUnit(ctx context.Context) error {
-	return mage.GoTest(ctx, mage.DefaultGoTestUnitArgs())
+// Dashboards collects all the dashboards and generates index patterns.
+func Dashboards() error {
+	return mage.KibanaDashboards("module")
 }
 
-// GoTestIntegration executes the Go integration tests.
-// Use TEST_COVERAGE=true to enable code coverage profiling.
-// Use RACE_DETECTOR=true to enable the race detector.
-func GoTestIntegration(ctx context.Context) error {
-	return mage.GoTest(ctx, mage.DefaultGoTestIntegrationArgs())
+// Config generates both the short/reference configs and populates the modules.d
+// directory.
+func Config() error {
+	return auditbeat.Config(auditbeat.ConfigTemplateGlob)
 }
 
-// -----------------------------------------------------------------------------
-// Customizations specific to Auditbeat.
-// - Config files are Go templates.
+// Update is an alias for running fields, dashboards, config, includes.
+func Update() {
+	mg.SerialDeps(Fields, Dashboards, Config,
+		mage.GenerateModuleIncludeListGo, Docs)
+}
 
-const (
-	configTemplateGlob      = "module/*/_meta/config*.yml.tmpl"
-	shortConfigTemplate     = "build/auditbeat.yml.tmpl"
-	referenceConfigTemplate = "build/auditbeat.reference.yml.tmpl"
-)
+// Docs collects the documentation.
+func Docs() {
+	mg.SerialDeps(xpackFields, combinedDocs)
+}
 
-func makeConfigTemplates() error {
-	configFiles, err := mage.FindFiles(configTemplateGlob)
-	if err != nil {
-		return errors.Wrap(err, "failed to find config templates")
-	}
+// combinedDocs builds combined documentation for both OSS and X-Pack.
+func combinedDocs() error {
+	return auditbeat.CollectDocs(mage.OSSBeatDir(), auditbeat.XpackBeatDir())
+}
 
-	var shortIn []string
-	shortIn = append(shortIn, "_meta/common.p1.yml")
-	shortIn = append(shortIn, configFiles...)
-	shortIn = append(shortIn, "_meta/common.p2.yml")
-	shortIn = append(shortIn, "../libbeat/_meta/config.yml")
-	if !mage.IsUpToDate(shortConfigTemplate, shortIn...) {
-		fmt.Println(">> Building", shortConfigTemplate)
-		mage.MustFileConcat(shortConfigTemplate, 0600, shortIn...)
-		mage.MustFindReplace(shortConfigTemplate, regexp.MustCompile("beatname"), "{{.BeatName}}")
-		mage.MustFindReplace(shortConfigTemplate, regexp.MustCompile("beat-index-prefix"), "{{.BeatIndexPrefix}}")
-	}
+// xpackFields creates x-pack/auditbeat/fields.yml - necessary to build
+// a combined documentation.
+func xpackFields() error {
+	return mage.Mage(auditbeat.XpackBeatDir(), "fields")
+}
 
-	var referenceIn []string
-	referenceIn = append(referenceIn, "_meta/common.reference.yml")
-	referenceIn = append(referenceIn, configFiles...)
-	referenceIn = append(referenceIn, "../libbeat/_meta/config.reference.yml")
-	if !mage.IsUpToDate(referenceConfigTemplate, referenceIn...) {
-		fmt.Println(">> Building", referenceConfigTemplate)
-		mage.MustFileConcat(referenceConfigTemplate, 0644, referenceIn...)
-		mage.MustFindReplace(referenceConfigTemplate, regexp.MustCompile("beatname"), "{{.BeatName}}")
-		mage.MustFindReplace(referenceConfigTemplate, regexp.MustCompile("beat-index-prefix"), "{{.BeatIndexPrefix}}")
-	}
+// Fmt formats source code and adds file headers.
+func Fmt() {
+	mg.Deps(mage.Format)
+}
 
-	return nil
+// Check runs fmt and update then returns an error if any modifications are found.
+func Check() {
+	mg.SerialDeps(mage.Format, Update, mage.Check)
 }
 
-// customizePackaging modifies the package specs to use templated config files
-// instead of the defaults.
-//
-// Customizations specific to Auditbeat:
-// - Include audit.rules.d directory in packages.
-func customizePackaging() {
-	var (
-		shortConfig = mage.PackageFile{
-			Mode:   0600,
-			Source: "{{.PackageDir}}/auditbeat.yml",
-			Dep:    generateShortConfig,
-			Config: true,
-		}
-		referenceConfig = mage.PackageFile{
-			Mode:   0644,
-			Source: "{{.PackageDir}}/auditbeat.reference.yml",
-			Dep:    generateReferenceConfig,
-		}
-	)
-
-	archiveRulesDir := "audit.rules.d"
-	linuxPkgRulesDir := "/etc/{{.BeatName}}/audit.rules.d"
-	rulesSrcDir := "module/auditd/_meta/audit.rules.d"
-	sampleRules := mage.PackageFile{
-		Mode:   0644,
-		Source: rulesSrcDir,
-		Dep: func(spec mage.PackageSpec) error {
-			if spec.OS == "linux" {
-				params := map[string]interface{}{
-					"ArchBits": archBits,
-				}
-				rulesFile := spec.MustExpand(rulesSrcDir+"/sample-rules-linux-{{call .ArchBits .GOARCH}}bit.conf", params)
-				if err := mage.Copy(rulesFile, spec.MustExpand("{{.PackageDir}}/audit.rules.d/sample-rules.conf.disabled")); err != nil {
-					return errors.Wrap(err, "failed to copy sample rules")
-				}
-			}
-			return nil
-		},
-	}
+// IntegTest executes integration tests (it uses Docker to run the tests).
+func IntegTest() {
+	mage.AddIntegTestUsage()
+	defer mage.StopIntegTestEnv()
+	mg.SerialDeps(GoIntegTest, PythonIntegTest)
+}
 
-	for _, args := range mage.Packages {
-		pkgType := args.Types[0]
-		switch pkgType {
-		case mage.TarGz, mage.Zip:
-			args.Spec.ReplaceFile("{{.BeatName}}.yml", shortConfig)
-			args.Spec.ReplaceFile("{{.BeatName}}.reference.yml", referenceConfig)
-		case mage.Deb, mage.RPM, mage.DMG:
-			args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.yml", shortConfig)
-			args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfig)
-		case mage.Docker:
-			args.Spec.ExtraVar("user", "root")
-		default:
-			panic(errors.Errorf("unhandled package type: %v", pkgType))
-		}
-		if args.OS == "linux" {
-			rulesDest := archiveRulesDir
-			if pkgType != mage.TarGz {
-				rulesDest = linuxPkgRulesDir
-			}
-			args.Spec.Files[rulesDest] = sampleRules
-		}
-	}
+// UnitTest executes the unit tests.
+func UnitTest() {
+	mg.SerialDeps(GoUnitTest, PythonUnitTest)
 }
 
-func generateReferenceConfig(spec mage.PackageSpec) error {
-	params := map[string]interface{}{
-		"Reference": true,
-		"ArchBits":  archBits,
-	}
-	return spec.ExpandFile(referenceConfigTemplate,
-		"{{.PackageDir}}/auditbeat.reference.yml", params)
+// GoUnitTest executes the Go unit tests.
+// Use TEST_COVERAGE=true to enable code coverage profiling.
+// Use RACE_DETECTOR=true to enable the race detector.
+func GoUnitTest(ctx context.Context) error {
+	return mage.GoTest(ctx, mage.DefaultGoTestUnitArgs())
 }
 
-func generateShortConfig(spec mage.PackageSpec) error {
-	params := map[string]interface{}{
-		"Reference": false,
-		"ArchBits":  archBits,
-	}
-	return spec.ExpandFile(shortConfigTemplate,
-		"{{.PackageDir}}/auditbeat.yml", params)
+// GoIntegTest executes the Go integration tests.
+// Use TEST_COVERAGE=true to enable code coverage profiling.
+// Use RACE_DETECTOR=true to enable the race detector.
+func GoIntegTest(ctx context.Context) error {
+	return mage.RunIntegTest("goIntegTest", func() error {
+		return mage.GoTest(ctx, mage.DefaultGoTestIntegrationArgs())
+	})
 }
 
-// archBits returns the number of bit width of the GOARCH architecture value.
-// This function is used by the auditd module configuration templates to
-// generate architecture specific audit rules.
-func archBits(goarch string) int {
-	switch goarch {
-	case "386", "arm":
-		return 32
-	default:
-		return 64
-	}
+// PythonUnitTest executes the python system tests.
+func PythonUnitTest() error {
+	mg.Deps(mage.BuildSystemTestBinary)
+	return mage.PythonNoseTest(mage.DefaultPythonTestUnitArgs())
 }
 
-// Configs generates the auditbeat.yml and auditbeat.reference.yml config files.
-// Set DEV_OS and DEV_ARCH to change the target host for the generated configs.
-// Defaults to linux/amd64.
-func Configs() {
-	mg.Deps(makeConfigTemplates)
-
-	params := map[string]interface{}{
-		"GOOS":      mage.EnvOr("DEV_OS", "linux"),
-		"GOARCH":    mage.EnvOr("DEV_ARCH", "amd64"),
-		"ArchBits":  archBits,
-		"Reference": false,
+// PythonIntegTest executes the python system tests in the integration environment (Docker).
+func PythonIntegTest(ctx context.Context) error {
+	if !mage.IsInIntegTestEnv() {
+		mg.SerialDeps(Fields, Dashboards)
 	}
-	fmt.Printf(">> Building auditbeat.yml for %v/%v\n", params["GOOS"], params["GOARCH"])
-	mage.MustExpandFile(shortConfigTemplate, "auditbeat.yml", params)
-
-	params["Reference"] = true
-	fmt.Printf(">> Building auditbeat.reference.yml for %v/%v\n", params["GOOS"], params["GOARCH"])
-	mage.MustExpandFile(referenceConfigTemplate, "auditbeat.reference.yml", params)
+	return mage.RunIntegTest("pythonIntegTest", func() error {
+		mg.Deps(mage.BuildSystemTestBinary)
+		return mage.PythonNoseTest(mage.DefaultPythonTestIntegrationArgs())
+	})
 }
diff --git a/auditbeat/module/auditd/_meta/config.yml.tmpl b/auditbeat/module/auditd/_meta/config.yml.tmpl
index aff7e704ce3c..be1e73d152ef 100644
--- a/auditbeat/module/auditd/_meta/config.yml.tmpl
+++ b/auditbeat/module/auditd/_meta/config.yml.tmpl
@@ -41,4 +41,4 @@
     ## Unauthorized access attempts.
     #-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
     #-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
-{{ end -}}
+{{ end }}
diff --git a/auditbeat/module/file_integrity/_meta/config.yml.tmpl b/auditbeat/module/file_integrity/_meta/config.yml.tmpl
index beaa9be26f8f..0784375155c7 100644
--- a/auditbeat/module/file_integrity/_meta/config.yml.tmpl
+++ b/auditbeat/module/file_integrity/_meta/config.yml.tmpl
@@ -74,4 +74,4 @@
 
   # Detect changes to files included in subdirectories. Disabled by default.
   recursive: false
-{{- end }}
+{{ end }}
diff --git a/auditbeat/scripts/docs_collector.py b/auditbeat/scripts/docs_collector.py
index d843f1932a55..d1654978a0f0 100644
--- a/auditbeat/scripts/docs_collector.py
+++ b/auditbeat/scripts/docs_collector.py
@@ -6,10 +6,13 @@
 # Collects docs for all modules and metricset
 
 
-def collect(beat_name):
+def collect(base_paths):
 
-    base_dir = "module"
-    path = os.path.abspath("module")
+    # Always use the auditbeat/docs/ directory, regardless
+    # of where this script was called from.
+    docs_path = os.path.abspath(os.path.join(__file__, os.pardir, os.pardir, "docs"))
+
+    beat_name = os.path.basename(base_paths[0])
 
     generated_note = """////
 This file is generated! See scripts/docs_collector.py
@@ -19,17 +22,25 @@ def collect(beat_name):
 
     modules_list = {}
 
+    # Dict: module name -> module path
+    module_dirs = {}
+    for path in base_paths:
+        module_dir = os.path.join(path, "module")
+        for module_name in os.listdir(module_dir):
+            module_dirs[module_name] = os.path.join(module_dir, module_name)
+
     # Iterate over all modules
-    for module in sorted(os.listdir(base_dir)):
+    for module in sorted(module_dirs):
+        module_dir = module_dirs[module]
 
-        module_doc = path + "/" + module + "/_meta/docs.asciidoc"
+        module_doc = os.path.join(module_dir, "_meta/docs.asciidoc")
 
         # Only check folders where docs.asciidoc exists
         if os.path.isfile(module_doc) == False:
             continue
 
         # Create directory for each module
-        os.mkdir(os.path.abspath("docs") + "/modules/" + module)
+        os.mkdir(os.path.join(module_docs_path(module_dir), "modules", module))
 
         module_file = generated_note
         module_file += "[id=\"{beatname_lc}-module-" + module + "\"]\n"
@@ -37,7 +48,7 @@ def collect(beat_name):
         with open(module_doc) as f:
             module_file += f.read()
 
-        beat_path = path + "/" + module + "/_meta"
+        beat_path = os.path.join(module_dir, "_meta")
 
         # Load title from fields.yml
         with open(beat_path + "/fields.yml") as f:
@@ -76,9 +87,9 @@ def collect(beat_name):
         module_includes = ""
 
         # Iterate over all metricsets
-        for metricset in sorted(os.listdir(base_dir + "/" + module)):
+        for metricset in sorted(os.listdir(module_dir)):
 
-            metricset_docs = path + "/" + module + "/" + metricset + "/_meta/docs.asciidoc"
+            metricset_docs = os.path.join(module_dir, metricset, "_meta/docs.asciidoc")
 
             # Only check folders where fields.yml exists
             if os.path.isfile(metricset_docs) == False:
@@ -96,6 +107,10 @@ def collect(beat_name):
 
             # Add reference to metricset file and include file
             metricset_file += reference + "\n"
+
+            # Create title out of module and metricset set name
+            metricset_file += "=== {} {} metricset\n\n".format(title, metricset)
+
             metricset_file += 'include::../../../module/' + module + '/' + metricset + '/_meta/docs.asciidoc[]' + "\n"
 
             # TODO: This should point directly to the exported fields of the metricset, not the whole module
@@ -108,7 +123,7 @@ def collect(beat_name):
 
 """
 
-            data_file = path + "/" + module + "/" + metricset + "/_meta/data.json"
+            data_file = os.path.join(module_dir, metricset, "_meta/data.json")
 
             # Add data.json example json document
             if os.path.isfile(data_file) == True:
@@ -121,7 +136,7 @@ def collect(beat_name):
                 metricset_file += "----\n"
 
             # Write metricset docs
-            with open(os.path.abspath("docs") + "/modules/" + module + "/" + metricset + ".asciidoc", 'w') as f:
+            with open(os.path.join(module_docs_path(module_dir), "modules", module, metricset + ".asciidoc"), 'w') as f:
                 f.write(metricset_file)
 
         if len(module_links) > 0:
@@ -133,28 +148,48 @@ def collect(beat_name):
             module_file += module_includes
 
         # Write module docs
-        with open(os.path.abspath("docs") + "/modules/" + module + ".asciidoc", 'w') as f:
+        with open(os.path.join(module_docs_path(module_dir), "modules", module + ".asciidoc"), 'w') as f:
             f.write(module_file)
 
     module_list_output = generated_note
     for m, title in sorted(six.iteritems(modules_list)):
+        if m == "system":
+            # This is a very crude way of excluding references to X-Pack docs from
+            # the build until the docs build is updated with the new folder.
+            # TODO: Remove at the earliest possible time.
+            continue
         module_list_output += "  * <<{beatname_lc}-module-" + m + "," + title + ">>\n"
 
     module_list_output += "\n\n--\n\n"
-    for m, title in sorted(six.iteritems(modules_list)):
-        module_list_output += "include::modules/" + m + ".asciidoc[]\n"
+    for module_name, module_path in sorted(six.iteritems(module_dirs)):
+        if module_name == "system":
+            # This is a very crude way of excluding references to X-Pack docs from
+            # the build until the docs build is updated with the new folder.
+            # TODO: Remove at the earliest possible time.
+            continue
+        rel_path_to_module_docs = os.path.relpath(module_docs_path(module_path), docs_path)
+        module_list_output += "include::" + \
+            os.path.join(rel_path_to_module_docs, "modules", module_name + ".asciidoc") + "[]\n"
 
     # Write module link list
-    with open(os.path.abspath("docs") + "/modules_list.asciidoc", 'w') as f:
+    with open(os.path.join(docs_path, "modules_list.asciidoc"), 'w') as f:
         f.write(module_list_output)
 
 
+def module_docs_path(module_path):
+    """
+    Returns the docs path for a module.
+    E.g. modules in x-pack/auditbeat/modules are put in x-pack/auditbeat/docs
+    (but linked to from beats/auditbeat/docs/modules_list.asciidoc)
+    """
+    return os.path.abspath(os.path.join(module_path, os.pardir, os.pardir, "docs"))
+
+
 if __name__ == "__main__":
     parser = argparse.ArgumentParser(
         description="Collects modules docs")
-    parser.add_argument("--beat", help="Beat name")
+    parser.add_argument("--base-paths", dest='base_paths', nargs='+', help="Base paths")
 
     args = parser.parse_args()
-    beat_name = args.beat
 
-    collect(beat_name)
+    collect(args.base_paths)
diff --git a/auditbeat/scripts/generate_config.go b/auditbeat/scripts/generate_config.go
deleted file mode 100644
index ef8f82928ff2..000000000000
--- a/auditbeat/scripts/generate_config.go
+++ /dev/null
@@ -1,141 +0,0 @@
-// Licensed to Elasticsearch B.V. under one or more contributor
-// license agreements. See the NOTICE file distributed with
-// this work for additional information regarding copyright
-// ownership. Elasticsearch B.V. licenses this file to you under
-// the Apache License, Version 2.0 (the "License"); you may
-// not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-package main
-
-import (
-	"bytes"
-	"flag"
-	"fmt"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strings"
-	"text/template"
-
-	"github.com/pkg/errors"
-)
-
-const defaultGlob = "module/*/_meta/config*.yml.tmpl"
-
-var (
-	goos      = flag.String("os", runtime.GOOS, "generate config specific to the specified operating system")
-	goarch    = flag.String("arch", runtime.GOARCH, "generate config specific to the specified CPU architecture")
-	reference = flag.Bool("ref", false, "generate a reference config")
-	concat    = flag.Bool("concat", false, "concatenate all configs instead writing individual files")
-)
-
-func findConfigFiles(globs []string) ([]string, error) {
-	var configFiles []string
-	for _, glob := range globs {
-		files, err := filepath.Glob(glob)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed on glob %v", glob)
-		}
-		configFiles = append(configFiles, files...)
-	}
-	return configFiles, nil
-}
-
-// archBits returns the number of bit width of the GOARCH architecture value.
-// This function is used by the auditd module configuration templates to
-// generate architecture specific audit rules.
-func archBits(goarch string) int {
-	switch goarch {
-	case "386", "arm":
-		return 32
-	default:
-		return 64
-	}
-}
-
-func getConfig(file string) ([]byte, error) {
-	tpl, err := template.ParseFiles(file)
-	if err != nil {
-		return nil, errors.Wrapf(err, "failed reading %v", file)
-	}
-
-	data := map[string]interface{}{
-		"GOARCH":    *goarch,
-		"GOOS":      *goos,
-		"Reference": *reference,
-		"ArchBits":  archBits,
-	}
-	buf := new(bytes.Buffer)
-	if err = tpl.Execute(buf, data); err != nil {
-		return nil, errors.Wrapf(err, "failed executing template %v", file)
-	}
-
-	return buf.Bytes(), nil
-}
-
-func output(content []byte, file string) error {
-	if file == "-" {
-		fmt.Println(string(content))
-		return nil
-	}
-
-	if err := ioutil.WriteFile(file, content, 0640); err != nil {
-		return errors.Wrapf(err, "failed writing output to %v", file)
-	}
-
-	return nil
-}
-
-func logAndExit(err error) {
-	fmt.Fprintf(os.Stderr, "%+v\n", err)
-	os.Exit(1)
-}
-
-func main() {
-	flag.Parse()
-
-	globs := os.Args
-	if len(os.Args) > 0 {
-		path, err := filepath.Abs(defaultGlob)
-		if err != nil {
-			logAndExit(err)
-		}
-		globs = []string{path}
-	}
-
-	files, err := findConfigFiles(globs)
-	if err != nil {
-		logAndExit(err)
-	}
-
-	var segments [][]byte
-	for _, file := range files {
-		segment, err := getConfig(file)
-		if err != nil {
-			logAndExit(err)
-		}
-
-		if *concat {
-			segments = append(segments, segment)
-		} else {
-			output(segment, strings.TrimSuffix(file, ".tmpl"))
-		}
-	}
-
-	if *concat {
-		if err := output(bytes.Join(segments, []byte{'\n'}), "-"); err != nil {
-			logAndExit(err)
-		}
-	}
-}
diff --git a/auditbeat/scripts/mage/config.go b/auditbeat/scripts/mage/config.go
new file mode 100644
index 000000000000..2f7859bfa1c9
--- /dev/null
+++ b/auditbeat/scripts/mage/config.go
@@ -0,0 +1,105 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package mage
+
+import (
+	"fmt"
+	"regexp"
+
+	"github.com/pkg/errors"
+
+	"github.com/elastic/beats/dev-tools/mage"
+)
+
+// -----------------------------------------------------------------------------
+// Customizations specific to Auditbeat.
+// - Config files are Go templates.
+
+const (
+	// ConfigTemplateGlob matches Auditbeat modules' config file templates.
+	ConfigTemplateGlob      = "module/*/_meta/config*.yml.tmpl"
+	shortConfigTemplate     = "build/auditbeat.yml.tmpl"
+	referenceConfigTemplate = "build/auditbeat.reference.yml.tmpl"
+)
+
+func makeConfigTemplates(globs ...string) error {
+	configFiles, err := mage.FindFiles(globs...)
+	if err != nil {
+		return errors.Wrap(err, "failed to find config templates")
+	}
+
+	var shortIn []string
+	shortIn = append(shortIn, mage.OSSBeatDir("_meta/common.p1.yml"))
+	shortIn = append(shortIn, configFiles...)
+	shortIn = append(shortIn, mage.OSSBeatDir("_meta/common.p2.yml"))
+	shortIn = append(shortIn, mage.LibbeatDir("_meta/config.yml"))
+	if !mage.IsUpToDate(shortConfigTemplate, shortIn...) {
+		fmt.Println(">> Building", shortConfigTemplate)
+		mage.MustFileConcat(shortConfigTemplate, 0600, shortIn...)
+		mage.MustFindReplace(shortConfigTemplate, regexp.MustCompile("beatname"), "{{.BeatName}}")
+		mage.MustFindReplace(shortConfigTemplate, regexp.MustCompile("beat-index-prefix"), "{{.BeatIndexPrefix}}")
+	}
+
+	var referenceIn []string
+	referenceIn = append(referenceIn, mage.OSSBeatDir("_meta/common.reference.yml"))
+	referenceIn = append(referenceIn, configFiles...)
+	referenceIn = append(referenceIn, mage.LibbeatDir("_meta/config.reference.yml"))
+	if !mage.IsUpToDate(referenceConfigTemplate, referenceIn...) {
+		fmt.Println(">> Building", referenceConfigTemplate)
+		mage.MustFileConcat(referenceConfigTemplate, 0644, referenceIn...)
+		mage.MustFindReplace(referenceConfigTemplate, regexp.MustCompile("beatname"), "{{.BeatName}}")
+		mage.MustFindReplace(referenceConfigTemplate, regexp.MustCompile("beat-index-prefix"), "{{.BeatIndexPrefix}}")
+	}
+
+	return nil
+}
+
+// archBits returns the number of bit width of the GOARCH architecture value.
+// This function is used by the auditd module configuration templates to
+// generate architecture specific audit rules.
+func archBits(goarch string) int {
+	switch goarch {
+	case "386", "arm":
+		return 32
+	default:
+		return 64
+	}
+}
+
+// Config generates the auditbeat.yml and auditbeat.reference.yml config files.
+// Set DEV_OS and DEV_ARCH to change the target host for the generated configs.
+// Defaults to linux/amd64.
+func Config(configTemplateGlobs ...string) error {
+	if err := makeConfigTemplates(configTemplateGlobs...); err != nil {
+		return errors.Wrap(err, "failed making config templates")
+	}
+
+	params := map[string]interface{}{
+		"GOOS":      mage.EnvOr("DEV_OS", "linux"),
+		"GOARCH":    mage.EnvOr("DEV_ARCH", "amd64"),
+		"ArchBits":  archBits,
+		"Reference": false,
+	}
+	fmt.Printf(">> Building auditbeat.yml for %v/%v\n", params["GOOS"], params["GOARCH"])
+	mage.MustExpandFile(shortConfigTemplate, "auditbeat.yml", params)
+
+	params["Reference"] = true
+	fmt.Printf(">> Building auditbeat.reference.yml for %v/%v\n", params["GOOS"], params["GOARCH"])
+	mage.MustExpandFile(referenceConfigTemplate, "auditbeat.reference.yml", params)
+	return nil
+}
diff --git a/auditbeat/scripts/mage/docs.go b/auditbeat/scripts/mage/docs.go
new file mode 100644
index 000000000000..d8c70bbae16e
--- /dev/null
+++ b/auditbeat/scripts/mage/docs.go
@@ -0,0 +1,101 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package mage
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/magefile/mage/sh"
+	"github.com/pkg/errors"
+
+	"github.com/elastic/beats/dev-tools/mage"
+)
+
+// CollectDocs collects documentation from modules.
+func CollectDocs(basePaths ...string) error {
+
+	// Generate config.yml files for each module.
+	var configFiles []string
+	for _, path := range basePaths {
+		files, err := mage.FindFiles(filepath.Join(path, ConfigTemplateGlob))
+		if err != nil {
+			return errors.Wrap(err, "failed to find config templates")
+		}
+
+		configFiles = append(configFiles, files...)
+	}
+
+	var configs []string
+	params := map[string]interface{}{
+		"GOOS":      "linux",
+		"GOARCH":    "amd64",
+		"ArchBits":  archBits,
+		"Reference": false,
+	}
+	for _, src := range configFiles {
+		dst := strings.TrimSuffix(src, ".tmpl")
+		configs = append(configs, dst)
+		mage.MustExpandFile(src, dst, params)
+	}
+	defer mage.Clean(configs)
+
+	// Remove old.
+	for _, path := range basePaths {
+		if err := os.RemoveAll(filepath.Join(path, "docs/modules")); err != nil {
+			return err
+		}
+		if err := os.MkdirAll(filepath.Join(path, "docs/modules"), 0755); err != nil {
+			return err
+		}
+	}
+
+	// Run the docs_collector.py script.
+	ve, err := mage.PythonVirtualenv()
+	if err != nil {
+		return err
+	}
+
+	python, err := mage.LookVirtualenvPath(ve, "python")
+	if err != nil {
+		return err
+	}
+
+	// TODO: Port this script to Go.
+	args := []string{mage.OSSBeatDir("scripts/docs_collector.py"), "--base-paths"}
+	args = append(args, basePaths...)
+
+	err = sh.Run(python, args...)
+	if err != nil {
+		return err
+	}
+
+	esBeats, err := mage.ElasticBeatsDir()
+	if err != nil {
+		return err
+	}
+
+	return sh.Run(python, mage.LibbeatDir("scripts/generate_fields_docs.py"),
+		XpackBeatDir(), mage.BeatName, esBeats, "--output_path", mage.OSSBeatDir())
+}
+
+// XpackBeatDir returns the x-pack/{beatname} directory for a Beat.
+func XpackBeatDir() string {
+	return mage.OSSBeatDir("../x-pack", mage.BeatName)
+}
diff --git a/auditbeat/scripts/mage/package.go b/auditbeat/scripts/mage/package.go
new file mode 100644
index 000000000000..6d7913ed7ca7
--- /dev/null
+++ b/auditbeat/scripts/mage/package.go
@@ -0,0 +1,114 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package mage
+
+import (
+	"github.com/pkg/errors"
+
+	"github.com/elastic/beats/dev-tools/mage"
+)
+
+// CustomizePackaging modifies the package specs to use templated config files
+// instead of the defaults.
+//
+// Customizations specific to Auditbeat:
+// - Include audit.rules.d directory in packages.
+func CustomizePackaging() {
+	var (
+		shortConfig = mage.PackageFile{
+			Mode:   0600,
+			Source: "{{.PackageDir}}/auditbeat.yml",
+			Dep:    generateShortConfig,
+			Config: true,
+		}
+		referenceConfig = mage.PackageFile{
+			Mode:   0644,
+			Source: "{{.PackageDir}}/auditbeat.reference.yml",
+			Dep:    generateReferenceConfig,
+		}
+	)
+
+	const (
+		sampleRulesSource        = "{{.PackageDir}}/audit.rules.d/sample-rules.conf.disabled"
+		defaultSampleRulesTarget = "audit.rules.d/sample-rules.conf.disabled"
+	)
+	sampleRules := mage.PackageFile{
+		Mode:   0644,
+		Source: sampleRulesSource,
+		Dep: func(spec mage.PackageSpec) error {
+			if spec.OS != "linux" {
+				return errors.New("audit rules are for linux only")
+			}
+
+			// Origin rule file.
+			params := map[string]interface{}{"ArchBits": archBits}
+			origin := mage.OSSBeatDir(
+				"module/auditd/_meta/audit.rules.d",
+				spec.MustExpand("sample-rules-linux-{{call .ArchBits .GOARCH}}bit.conf", params),
+			)
+
+			if err := mage.Copy(origin, spec.MustExpand(sampleRulesSource)); err != nil {
+				return errors.Wrap(err, "failed to copy sample rules")
+			}
+			return nil
+		},
+	}
+
+	for _, args := range mage.Packages {
+		for _, pkgType := range args.Types {
+			sampleRulesTarget := defaultSampleRulesTarget
+
+			switch pkgType {
+			case mage.TarGz, mage.Zip:
+				args.Spec.ReplaceFile("{{.BeatName}}.yml", shortConfig)
+				args.Spec.ReplaceFile("{{.BeatName}}.reference.yml", referenceConfig)
+			case mage.Deb, mage.RPM, mage.DMG:
+				args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.yml", shortConfig)
+				args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfig)
+				sampleRulesTarget = "/etc/{{.BeatName}}/" + defaultSampleRulesTarget
+			case mage.Docker:
+				args.Spec.ExtraVar("user", "root")
+			default:
+				panic(errors.Errorf("unhandled package type: %v", pkgType))
+			}
+
+			if args.OS == "linux" {
+				args.Spec.Files[sampleRulesTarget] = sampleRules
+			}
+			break
+		}
+	}
+}
+
+func generateReferenceConfig(spec mage.PackageSpec) error {
+	params := map[string]interface{}{
+		"Reference": true,
+		"ArchBits":  archBits,
+	}
+	return spec.ExpandFile(referenceConfigTemplate,
+		"{{.PackageDir}}/auditbeat.reference.yml", params)
+}
+
+func generateShortConfig(spec mage.PackageSpec) error {
+	params := map[string]interface{}{
+		"Reference": false,
+		"ArchBits":  archBits,
+	}
+	return spec.ExpandFile(shortConfigTemplate,
+		"{{.PackageDir}}/auditbeat.yml", params)
+}
diff --git a/auditbeat/tests/system/auditbeat.py b/auditbeat/tests/system/auditbeat.py
index 1c0f4e816b89..8892afbe1027 100644
--- a/auditbeat/tests/system/auditbeat.py
+++ b/auditbeat/tests/system/auditbeat.py
@@ -15,8 +15,11 @@ class BaseTest(MetricbeatTest):
     @classmethod
     def setUpClass(self):
         self.beat_name = "auditbeat"
-        self.beat_path = os.path.abspath(
-            os.path.join(os.path.dirname(__file__), "../../"))
+
+        if not hasattr(self, 'beat_path'):
+            self.beat_path = os.path.abspath(
+                os.path.join(os.path.dirname(__file__), "../../"))
+
         super(MetricbeatTest, self).setUpClass()
 
     def create_file(self, path, contents):
diff --git a/auditbeat/tests/system/test_base.py b/auditbeat/tests/system/test_base.py
index d92e34a70fa2..8a15d004df9c 100644
--- a/auditbeat/tests/system/test_base.py
+++ b/auditbeat/tests/system/test_base.py
@@ -63,7 +63,7 @@ def test_dashboards(self):
 
         dirs = [self.temp_dir("auditbeat_test")]
         with PathCleanup(dirs):
-            kibana_dir = os.path.join(self.beat_path, "_meta", "kibana.generated")
+            kibana_dir = os.path.join(self.beat_path, "build", "kibana")
             shutil.copytree(kibana_dir, os.path.join(self.working_dir, "kibana"))
 
             es = Elasticsearch([self.get_elasticsearch_url()])
diff --git a/dev-tools/cmd/module_include_list/module_include_list.go b/dev-tools/cmd/module_include_list/module_include_list.go
index 67c1c5f8d678..db46b5e872e0 100644
--- a/dev-tools/cmd/module_include_list/module_include_list.go
+++ b/dev-tools/cmd/module_include_list/module_include_list.go
@@ -143,7 +143,7 @@ var Template = template.Must(template.New("normalizations").Funcs(map[string]int
 package {{ .Package }}
 
 import (
-	// Import modules.
+	// Import packages that need to register themselves.
 {{- range $import := .Imports }}
 	_ "{{ $import }}"
 {{- end }}
diff --git a/dev-tools/mage/common.go b/dev-tools/mage/common.go
index 669e48736d7b..57ca7c85bf6f 100644
--- a/dev-tools/mage/common.go
+++ b/dev-tools/mage/common.go
@@ -693,6 +693,17 @@ func OSSBeatDir(path ...string) string {
 	return filepath.Join(append([]string{ossDir}, path...)...)
 }
 
+// LibbeatDir returns the libbeat directory. You can pass paths and
+// they will be joined and appended to the libbeat dir.
+func LibbeatDir(path ...string) string {
+	esBeatsDir, err := ElasticBeatsDir()
+	if err != nil {
+		panic(errors.Wrap(err, "failed determine libbeat dir location"))
+	}
+
+	return filepath.Join(append([]string{esBeatsDir, "libbeat"}, path...)...)
+}
+
 // createDir creates the parent directory for the given file.
 func createDir(file string) string {
 	// Create the output directory.
diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go
index 3a7efad0a316..2bfa7bc74e84 100644
--- a/dev-tools/mage/crossbuild.go
+++ b/dev-tools/mage/crossbuild.go
@@ -25,10 +25,13 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/magefile/mage/mg"
 	"github.com/magefile/mage/sh"
 	"github.com/pkg/errors"
+
+	"github.com/elastic/beats/libbeat/common/file"
 )
 
 const defaultCrossBuildTarget = "golangCrossBuild"
@@ -270,6 +273,7 @@ func DockerChown(path string) {
 	uid, _ := strconv.Atoi(EnvOr("EXEC_UID", "-1"))
 	gid, _ := strconv.Atoi(EnvOr("EXEC_GID", "-1"))
 	if uid > 0 && gid > 0 {
+		log.Printf(">>> Fixing file ownership issues from Docker at path=%v", path)
 		if err := chownPaths(uid, gid, path); err != nil {
 			log.Println(err)
 		}
@@ -278,14 +282,30 @@ func DockerChown(path string) {
 
 // chownPaths will chown the file and all of the dirs specified in the path.
 func chownPaths(uid, gid int, path string) error {
-	return filepath.Walk(path, func(name string, _ os.FileInfo, err error) error {
+	start := time.Now()
+	defer log.Printf("chown took: %v", time.Now().Sub(start))
+
+	return filepath.Walk(path, func(name string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+
+		// Get the file's UID and GID.
+		stat, err := file.Wrap(info)
 		if err != nil {
 			return err
 		}
-		log.Printf("chown line: %s\n", name)
+		fileUID, _ := stat.UID()
+		fileGID, _ := stat.GID()
+		if uid == fileUID && gid == fileGID {
+			// Skip if UID/GID are already a match.
+			return nil
+		}
+
+		log.Printf("chown file: %v", name)
 		if err := os.Chown(name, uid, gid); err != nil {
 			return errors.Wrapf(err, "failed to chown path=%v", name)
 		}
-		return err
+		return nil
 	})
 }
diff --git a/dev-tools/mage/fields.go b/dev-tools/mage/fields.go
index 96e12357e522..62aa95bc654e 100644
--- a/dev-tools/mage/fields.go
+++ b/dev-tools/mage/fields.go
@@ -20,6 +20,8 @@ package mage
 import (
 	"path/filepath"
 
+	"github.com/pkg/errors"
+
 	"github.com/magefile/mage/sh"
 )
 
@@ -65,17 +67,12 @@ func GenerateFieldsGo(fieldsYML, out string) error {
 		return err
 	}
 
-	licenseType := BeatLicense
-	if licenseType == "ASL 2.0" {
-		licenseType = "ASL2"
-	}
-
 	assetCmd := sh.RunCmd("go", "run",
 		filepath.Join(beatsDir, assetCmdPath),
 		"-pkg", "include",
 		"-in", fieldsYML,
 		"-out", createDir(out),
-		"-license", licenseType,
+		"-license", toLibbeatLicenseName(BeatLicense),
 		BeatName,
 	)
 
@@ -93,15 +90,10 @@ func GenerateModuleFieldsGo() error {
 		return err
 	}
 
-	licenseType := BeatLicense
-	if licenseType == "ASL 2.0" {
-		licenseType = "ASL2"
-	}
-
 	moduleFieldsCmd := sh.RunCmd("go", "run",
 		filepath.Join(beatsDir, moduleFieldsCmdPath),
 		"-beat", BeatName,
-		"-license", licenseType,
+		"-license", toLibbeatLicenseName(BeatLicense),
 		filepath.Join(CWD(), "module"),
 	)
 
@@ -109,7 +101,7 @@ func GenerateModuleFieldsGo() error {
 }
 
 // GenerateModuleIncludeListGo generates an include/list.go file containing
-// a import statement for each module and metricset.
+// a import statement for each module and dataset.
 func GenerateModuleIncludeListGo() error {
 	const moduleIncludeListCmdPath = "dev-tools/cmd/module_include_list/module_include_list.go"
 
@@ -118,16 +110,24 @@ func GenerateModuleIncludeListGo() error {
 		return err
 	}
 
-	licenseType := BeatLicense
-	if licenseType == "ASL 2.0" {
-		licenseType = "ASL2"
-	}
-
-	moduleFieldsCmd := sh.RunCmd("go", "run",
+	includeListCmd := sh.RunCmd("go", "run",
 		filepath.Join(beatsDir, moduleIncludeListCmdPath),
-		"-license", licenseType,
+		"-license", toLibbeatLicenseName(BeatLicense),
 		filepath.Join(CWD(), "module"),
 	)
 
-	return moduleFieldsCmd()
+	return includeListCmd()
+}
+
+// toLibbeatLicenseName translates the license type used in packages to
+// the identifiers used by github.com/elastic/beatslibbeat/licenses.
+func toLibbeatLicenseName(name string) string {
+	switch name {
+	case "ASL 2.0":
+		return "ASL2"
+	case "Elastic License":
+		return "Elastic"
+	default:
+		panic(errors.Errorf("invalid license name '%v'", name))
+	}
 }
diff --git a/dev-tools/mage/fmt.go b/dev-tools/mage/fmt.go
index 5e80a18e037a..d0dba1cecad8 100644
--- a/dev-tools/mage/fmt.go
+++ b/dev-tools/mage/fmt.go
@@ -94,7 +94,7 @@ func PythonAutopep8() error {
 		return err
 	}
 
-	autopep8, err := lookVirtualenvPath(ve, "autopep8")
+	autopep8, err := LookVirtualenvPath(ve, "autopep8")
 	if err != nil {
 		return err
 	}
@@ -118,10 +118,10 @@ func AddLicenseHeaders() error {
 
 	var license string
 	switch BeatLicense {
-	case "ASL 2.0":
+	case "ASL2", "ASL 2.0":
 		license = "ASL2"
-	case "Elastic":
-		license = BeatLicense
+	case "Elastic", "Elastic License":
+		license = "Elastic"
 	default:
 		return errors.Errorf("unknown license type %v", BeatLicense)
 	}
diff --git a/dev-tools/mage/integtest.go b/dev-tools/mage/integtest.go
index 55f5a25f66ec..c96e3931b83a 100644
--- a/dev-tools/mage/integtest.go
+++ b/dev-tools/mage/integtest.go
@@ -22,6 +22,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"sync"
 
@@ -142,6 +143,10 @@ func RunIntegTest(mageTarget string, test func() error, passThroughEnvVars ...st
 
 func runInIntegTestEnv(mageTarget string, test func() error, passThroughEnvVars ...string) error {
 	if IsInIntegTestEnv() {
+		// Fix file permissions after test is done writing files as root.
+		if runtime.GOOS != "windows" {
+			defer DockerChown(".")
+		}
 		return test()
 	}
 
@@ -174,6 +179,10 @@ func runInIntegTestEnv(mageTarget string, test func() error, passThroughEnvVars
 		// and the UID/GID won't meet the strict requirements.
 		"-e", "BEAT_STRICT_PERMS=false",
 	}
+	args, err = addUidGidEnvArgs(args)
+	if err != nil {
+		return err
+	}
 	for _, envVar := range passThroughEnvVars {
 		args = append(args, "-e", envVar+"="+os.Getenv(envVar))
 	}
diff --git a/dev-tools/mage/kibana.go b/dev-tools/mage/kibana.go
index d9cda7892a66..aeae72d83b8e 100644
--- a/dev-tools/mage/kibana.go
+++ b/dev-tools/mage/kibana.go
@@ -27,6 +27,7 @@ import (
 
 // KibanaDashboards collects the Kibana dashboards files and generates the
 // index patterns based on the fields.yml file. It outputs to build/kibana.
+// Use PackageKibanaDashboardsFromBuildDir() with this.
 func KibanaDashboards(moduleDirs ...string) error {
 	var kibanaBuildDir = "build/kibana"
 
@@ -34,6 +35,11 @@ func KibanaDashboards(moduleDirs ...string) error {
 		return err
 	}
 
+	// Create symlink from old directory so `make beats-dashboards` works.
+	if err := os.Symlink(filepath.Join("..", kibanaBuildDir), "_meta/kibana.generated"); err != nil && !os.IsExist(err) && !os.IsNotExist(err) {
+		return err
+	}
+
 	// Copy the OSS Beat's common dashboards if they exist. This assumes that
 	// X-Pack Beats only add dashboards with modules (this will require a
 	// change if we have X-Pack only Beats).
@@ -87,3 +93,29 @@ func KibanaDashboards(moduleDirs ...string) error {
 
 	return indexPatternCmd()
 }
+
+// PackageKibanaDashboardsFromBuildDir reconfigures the packaging configuration
+// to pull Kibana dashboards from build/kibana rather than _meta/kibana.generated.
+// Use this with KibanaDashboards() (aka mage dashboards).
+func PackageKibanaDashboardsFromBuildDir() {
+	kibanaDashboards := PackageFile{
+		Source: "build/kibana",
+		Mode:   0644,
+	}
+
+	for _, pkgArgs := range Packages {
+		for _, pkgType := range pkgArgs.Types {
+			switch pkgType {
+			case TarGz, Zip, Docker:
+				pkgArgs.Spec.ReplaceFile("kibana", kibanaDashboards)
+			case Deb, RPM:
+				pkgArgs.Spec.ReplaceFile("/usr/share/{{.BeatName}}/kibana", kibanaDashboards)
+			case DMG:
+				pkgArgs.Spec.ReplaceFile("/Library/Application Support/{{.BeatVendor}}/{{.BeatName}}/kibana", kibanaDashboards)
+			default:
+				panic(errors.Errorf("unhandled package type: %v", pkgType))
+			}
+			break
+		}
+	}
+}
diff --git a/dev-tools/mage/pkgspecs.go b/dev-tools/mage/pkgspecs.go
index 09ecdfe1469b..ba8d403056b6 100644
--- a/dev-tools/mage/pkgspecs.go
+++ b/dev-tools/mage/pkgspecs.go
@@ -44,23 +44,37 @@ func UseCommunityBeatPackaging() {
 // that is purely OSS under Apache 2.0 and one that is licensed under the
 // Elastic License and may contain additional X-Pack features.
 func UseElasticBeatPackaging() {
-	MustUsePackaging("elastic_beat", packageSpecFile)
+	UseElasticBeatOSSPackaging()
+	MustUsePackaging("elastic_beat_xpack_separate_binaries", packageSpecFile)
 }
 
-// UseElasticBeatWithoutXPackPackaging configures the package target to build packages for
-// an Elastic Beat. This means it will generate two sets of packages -- one
-// that is purely OSS under Apache 2.0 and one that is licensed under the
-// Elastic License and may contain additional X-Pack features.
+// UseElasticBeatOSSPackaging configures the package target to build OSS
+// packages.
+func UseElasticBeatOSSPackaging() {
+	MustUsePackaging("elastic_beat_oss", packageSpecFile)
+}
+
+// UseElasticBeatXPackPackaging configures the package target to build Elastic
+// licensed (X-Pack) packages.
+func UseElasticBeatXPackPackaging() {
+	MustUsePackaging("elastic_beat_xpack", packageSpecFile)
+}
+
+// UseElasticBeatWithoutXPackPackaging configures the package target to build
+// packages for an Elastic Beat. This means it will generate two sets of
+// packages -- one that is purely OSS under Apache 2.0 and one that is licensed
+// under the Elastic License and may contain additional X-Pack features.
 //
 // NOTE: This method doesn't use binaries produced in the x-pack folder, this is
-// a temporary packaging target for projects that depends on beat but do have concrete x-pack
-// binaries.
+// a temporary packaging target for projects that depends on beat but do have
+// concrete x-pack binaries.
 func UseElasticBeatWithoutXPackPackaging() {
-	MustUsePackaging("elastic_beat_without_xpack", packageSpecFile)
+	UseElasticBeatOSSPackaging()
+	UseElasticBeatXPackPackaging()
 }
 
-// MustUsePackaging will load a named spec from a named file, if any errors occurs when loading
-// the specs it will panic.
+// MustUsePackaging will load a named spec from a named file, if any errors
+// occurs when loading the specs it will panic.
 //
 // NOTE: we assume that specFile is relative to the beatsDir.
 func MustUsePackaging(specName, specFile string) {
@@ -103,11 +117,11 @@ func LoadNamedSpec(name string, files ...string) error {
 	}
 
 	log.Printf("%v package spec loaded from %v", name, files)
-	Packages = packages
+	Packages = append(Packages, packages...)
 	return nil
 }
 
-// LoadSpecs loads the packaging specifications from the specified YAML file.
+// LoadSpecs loads the packaging specifications from the specified YAML files.
 func LoadSpecs(files ...string) (map[string][]OSPackageArgs, error) {
 	var data [][]byte
 	for _, file := range files {
diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go
index a283828b4fc8..b946ba446fb4 100644
--- a/dev-tools/mage/pkgtypes.go
+++ b/dev-tools/mage/pkgtypes.go
@@ -704,14 +704,21 @@ func addUidGidEnvArgs(args []string) ([]string, error) {
 	}
 
 	return append(args,
-		"--env", "EXEC_UID="+strconv.Itoa(uid),
-		"--env", "EXEC_GID="+strconv.Itoa(gid),
+		"-e", "EXEC_UID="+strconv.Itoa(uid),
+		"-e", "EXEC_GID="+strconv.Itoa(gid),
 	), nil
 }
 
 // addFileToZip adds a file (or directory) to a zip archive.
 func addFileToZip(ar *zip.Writer, baseDir string, pkgFile PackageFile) error {
-	return filepath.Walk(pkgFile.Source, func(path string, info os.FileInfo, err error) error {
+	// filepath.Walk() does not resolve symlinks, but pkgFile.Source might be one,
+	// see mage.KibanaDashboards().
+	resolvedSource, err := filepath.EvalSymlinks(pkgFile.Source)
+	if err != nil {
+		return err
+	}
+
+	return filepath.Walk(resolvedSource, func(path string, info os.FileInfo, err error) error {
 		if err != nil {
 			return err
 		}
diff --git a/dev-tools/mage/pytest.go b/dev-tools/mage/pytest.go
index 0cef1b01be2d..4531fed53d41 100644
--- a/dev-tools/mage/pytest.go
+++ b/dev-tools/mage/pytest.go
@@ -131,7 +131,7 @@ func PythonNoseTest(params PythonTestArgs) error {
 	// We check both the VE and the normal PATH because on Windows if the
 	// requirements are met by the globally installed package they are not
 	// installed to the VE.
-	nosetestsPath, err := lookVirtualenvPath(ve, "nosetests")
+	nosetestsPath, err := LookVirtualenvPath(ve, "nosetests")
 	if err != nil {
 		return err
 	}
@@ -236,9 +236,9 @@ func virtualenvPath(ve string, parts ...string) string {
 	return filepath.Join(append([]string{ve, "bin"}, parts...)...)
 }
 
-// lookVirtualenvPath looks for an executable in the path and it includes the
+// LookVirtualenvPath looks for an executable in the path and it includes the
 // virtualenv in the search.
-func lookVirtualenvPath(ve, file string) (string, error) {
+func LookVirtualenvPath(ve, file string) (string, error) {
 	// This is kind of unsafe w.r.t. concurrent execs because they could end
 	// up with different PATHs. But it allows us to search the VE path without
 	// having to re-implement the exec.LookPath logic. And does not require us
diff --git a/dev-tools/make/xpack.mk b/dev-tools/make/xpack.mk
index 6ceea53d19f2..cb49f48c40f0 100644
--- a/dev-tools/make/xpack.mk
+++ b/dev-tools/make/xpack.mk
@@ -1,5 +1,6 @@
-# This Makefile is for x-pack Beats. Its only responsibility is to provide
-# compatibility with existing Jenkins and Travis setups.
+# This is a minimal Makefile for Beats that are built with Mage. Its only
+# responsibility is to provide compatibility with existing Jenkins and Travis
+# setups.
 
 #
 # Variables
@@ -33,6 +34,10 @@ help:
 	@echo Use mage rather than make. Here are the available mage targets:
 	@mage -l
 
+.PHONY: release
+release: mage
+	mage package
+
 .PHONY: testsuite
 testsuite: mage
 	-rm build/TEST-go-integration.out
diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
index 7d71440230e1..8ee3eeff51f8 100644
--- a/dev-tools/packaging/packages.yml
+++ b/dev-tools/packaging/packages.yml
@@ -250,10 +250,9 @@ specs:
       spec:
         <<: *docker_spec
 
-  elastic_beat_without_xpack:
-    ###
-    # OSS Packages
-    ###
+  # Elastic Beat with Apache License (OSS) and binary taken the current
+  # directory.
+  elastic_beat_oss:
     - os: windows
       types: [zip]
       spec:
@@ -297,6 +296,8 @@ specs:
         <<: *apache_license_for_binaries
         name: '{{.BeatName}}-oss'
 
+  # Elastic Beat with Elastic License and binary taken the current directory.
+  elastic_beat_xpack:
     ###
     # Elastic Licensed Packages
     ###
@@ -337,54 +338,8 @@ specs:
         <<: *elastic_docker_spec
         <<: *elastic_license_for_binaries
 
-  # Official Beats
-  elastic_beat:
-    ###
-    # OSS Packages
-    ###
-    - os: windows
-      types: [zip]
-      spec:
-        <<: *windows_binary_spec
-        <<: *apache_license_for_binaries
-        name: '{{.BeatName}}-oss'
-
-    - os: darwin
-      types: [tgz]
-      spec:
-        <<: *binary_spec
-        <<: *apache_license_for_binaries
-        name: '{{.BeatName}}-oss'
-
-    - os: darwin
-      types: [dmg]
-      spec:
-        <<: *macos_beat_pkg_spec
-        <<: *apache_license_for_macos_pkg
-        name: '{{.BeatName}}-oss'
-
-    - os: linux
-      types: [tgz]
-      spec:
-        <<: *binary_spec
-        <<: *apache_license_for_binaries
-        name: '{{.BeatName}}-oss'
-
-    - os: linux
-      types: [deb, rpm]
-      spec:
-        <<: *deb_rpm_spec
-        <<: *apache_license_for_deb_rpm
-        name: '{{.BeatName}}-oss'
-
-    - os: linux
-      types: [docker]
-      spec:
-        <<: *docker_spec
-        <<: *elastic_docker_spec
-        <<: *apache_license_for_binaries
-        name: '{{.BeatName}}-oss'
-
+  # Elastic Beat with Elastic License and binary taken from the x-pack dir.
+  elastic_beat_xpack_separate_binaries:
     ###
     # Elastic Licensed Packages
     ###
diff --git a/libbeat/common/file/fileinfo.go b/libbeat/common/file/fileinfo.go
index 6b3027ad8a8c..c1a8ce60824b 100644
--- a/libbeat/common/file/fileinfo.go
+++ b/libbeat/common/file/fileinfo.go
@@ -43,6 +43,12 @@ func Lstat(name string) (FileInfo, error) {
 	return stat(name, os.Lstat)
 }
 
+// Wrap wraps the given os.FileInfo and returns a FileInfo in order to expose
+// the UID and GID in a uniform manner across operating systems.
+func Wrap(info os.FileInfo) (FileInfo, error) {
+	return wrap(info)
+}
+
 type fileInfo struct {
 	os.FileInfo
 	uid *int
diff --git a/libbeat/common/file/fileinfo_unix.go b/libbeat/common/file/fileinfo_unix.go
index 80f5ccf712c6..07e4288307ee 100644
--- a/libbeat/common/file/fileinfo_unix.go
+++ b/libbeat/common/file/fileinfo_unix.go
@@ -31,6 +31,10 @@ func stat(name string, statFunc func(name string) (os.FileInfo, error)) (FileInf
 		return nil, err
 	}
 
+	return wrap(info)
+}
+
+func wrap(info os.FileInfo) (FileInfo, error) {
 	stat, ok := info.Sys().(*syscall.Stat_t)
 	if !ok {
 		return nil, errors.New("failed to get uid/gid")
diff --git a/libbeat/common/file/fileinfo_windows.go b/libbeat/common/file/fileinfo_windows.go
index 5d8e3dfa8df4..855eb704eadc 100644
--- a/libbeat/common/file/fileinfo_windows.go
+++ b/libbeat/common/file/fileinfo_windows.go
@@ -27,5 +27,9 @@ func stat(name string, statFunc func(name string) (os.FileInfo, error)) (FileInf
 		return nil, err
 	}
 
+	return wrap(info)
+}
+
+func wrap(info os.FileInfo) (FileInfo, error) {
 	return fileInfo{FileInfo: info}, nil
 }
diff --git a/libbeat/generator/fields/fields.go b/libbeat/generator/fields/fields.go
index c7a37a7b833c..a5821b780688 100644
--- a/libbeat/generator/fields/fields.go
+++ b/libbeat/generator/fields/fields.go
@@ -31,6 +31,27 @@ type YmlFile struct {
 	Indent int
 }
 
+// NewYmlFile performs some checks and then creates and returns a YmlFile struct
+func NewYmlFile(path string, indent int) (*YmlFile, error) {
+	_, err := os.Stat(path)
+
+	if os.IsNotExist(err) {
+		// skip
+		return nil, nil
+	}
+
+	if err != nil {
+		// return error
+		return nil, err
+	}
+
+	// All good, return file
+	return &YmlFile{
+		Path:   path,
+		Indent: indent,
+	}, nil
+}
+
 func collectCommonFiles(esBeatsPath, beatPath string, fieldFiles []*YmlFile) ([]*YmlFile, error) {
 	var libbeatFieldFiles []*YmlFile
 	var err error
@@ -54,16 +75,13 @@ func collectCommonFiles(esBeatsPath, beatPath string, fieldFiles []*YmlFile) ([]
 
 	var files []*YmlFile
 	for _, cf := range commonFields {
-		_, err := os.Stat(cf)
-		if os.IsNotExist(err) {
-			continue
-		} else if err != nil {
+		ymlFile, err := NewYmlFile(cf, 0)
+
+		if err != nil {
 			return nil, err
+		} else if ymlFile != nil {
+			files = append(files, ymlFile)
 		}
-		files = append(files, &YmlFile{
-			Path:   cf,
-			Indent: 0,
-		})
 	}
 
 	files = append(files, libbeatFieldFiles...)
diff --git a/libbeat/generator/fields/module_fields_collector.go b/libbeat/generator/fields/module_fields_collector.go
index f9feeefc4b6e..a095b16aae19 100644
--- a/libbeat/generator/fields/module_fields_collector.go
+++ b/libbeat/generator/fields/module_fields_collector.go
@@ -19,7 +19,6 @@ package fields
 
 import (
 	"io/ioutil"
-	"os"
 	"path/filepath"
 )
 
@@ -69,16 +68,15 @@ func CollectModuleFiles(modulesDir string) ([]*YmlFile, error) {
 
 // CollectFiles collects all files for the given module including filesets
 func CollectFiles(module string, modulesPath string) ([]*YmlFile, error) {
-
 	var files []*YmlFile
+
 	fieldsYmlPath := filepath.Join(modulesPath, module, "_meta/fields.yml")
-	if _, err := os.Stat(fieldsYmlPath); !os.IsNotExist(err) {
-		files = append(files, &YmlFile{
-			Path:   fieldsYmlPath,
-			Indent: 0,
-		})
-	} else if !os.IsNotExist(err) && err != nil {
+	ymlFile, err := NewYmlFile(fieldsYmlPath, 0)
+
+	if err != nil {
 		return nil, err
+	} else if ymlFile != nil {
+		files = append(files, ymlFile)
 	}
 
 	modulesRoot := filepath.Base(modulesPath)
@@ -91,14 +89,14 @@ func CollectFiles(module string, modulesPath string) ([]*YmlFile, error) {
 		if !s.IsDir() {
 			continue
 		}
+
 		fieldsYmlPath = filepath.Join(modulesPath, module, s.Name(), "_meta/fields.yml")
-		if _, err = os.Stat(fieldsYmlPath); !os.IsNotExist(err) {
-			files = append(files, &YmlFile{
-				Path:   fieldsYmlPath,
-				Indent: indentByModule[modulesRoot],
-			})
-		} else if !os.IsNotExist(err) && err != nil {
+		ymlFile, err := NewYmlFile(fieldsYmlPath, indentByModule[modulesRoot])
+
+		if err != nil {
 			return nil, err
+		} else if ymlFile != nil {
+			files = append(files, ymlFile)
 		}
 	}
 	return files, nil
diff --git a/libbeat/scripts/Makefile b/libbeat/scripts/Makefile
index 4a5b00734da3..1ac501026d2d 100755
--- a/libbeat/scripts/Makefile
+++ b/libbeat/scripts/Makefile
@@ -80,7 +80,7 @@ PIP_INSTALL_PARAMS?=
 BUILDID?=$(shell git rev-parse HEAD) ## @Building The build ID
 VIRTUALENV_PARAMS?=
 INTEGRATION_TESTS?=
-FIND=. ${PYTHON_ENV}/bin/activate; find . -type f -not -path "*/vendor/*" -not -path "*/build/*" -not -path "*/.git/*"
+FIND?=. ${PYTHON_ENV}/bin/activate; find . -type f -not -path "*/vendor/*" -not -path "*/build/*" -not -path "*/.git/*"
 PERM_EXEC?=$(shell [ `uname -s` = "Darwin" ] && echo "+111" || echo "/a+x")
 XPACK_ONLY?=false
 
@@ -204,7 +204,7 @@ integration-tests-environment: prepare-tests build-image
 system-tests: ## @testing Runs the system tests
 system-tests: prepare-tests ${BEAT_NAME}.test python-env
 	. ${PYTHON_ENV}/bin/activate; INTEGRATION_TESTS=${INTEGRATION_TESTS} TESTING_ENVIRONMENT=${TESTING_ENVIRONMENT} DOCKER_COMPOSE_PROJECT_NAME=${DOCKER_COMPOSE_PROJECT_NAME} nosetests ${PYTHON_TEST_FILES} ${NOSETESTS_OPTIONS}
-	python ${ES_BEATS}/dev-tools/aggregate_coverage.py -o ${COVERAGE_DIR}/system.cov ./build/system-tests/run
+	python ${ES_BEATS}/dev-tools/aggregate_coverage.py -o ${COVERAGE_DIR}/system.cov ${BUILD_DIR}/system-tests/run
 
 # Runs the system tests
 .PHONY: system-tests-environment
@@ -309,9 +309,9 @@ coverage-report:
 fields: mage
 	@mage fields
 
+ifndef EXCLUDE_COMMON_UPDATE_TARGET
 .PHONY: update
-update: ## @build Update expects the most recent version of libbeat in the GOPATH
-update: python-env fields collect
+update: python-env fields collect ## @build Update expects the most recent version of libbeat in the GOPATH
 	@echo "Updating generated files for ${BEAT_NAME}"
 
 	@mkdir -p _meta
@@ -353,6 +353,7 @@ endif
 	@go run ${ES_BEATS}/dev-tools/cmd/kibana_index_pattern/kibana_index_pattern.go \
 	  -index '${BEAT_INDEX_PREFIX}-*' -beat ${BEAT_NAME} -fields $(PWD)/fields.yml \
 	  -version ${BEAT_VERSION} -out _meta/kibana.generated
+endif
 
 .PHONY: docs
 docs:  ## @build Builds the documents for the beat
diff --git a/libbeat/scripts/generate_fields_docs.py b/libbeat/scripts/generate_fields_docs.py
index bdcff718fd49..4fab927f396e 100644
--- a/libbeat/scripts/generate_fields_docs.py
+++ b/libbeat/scripts/generate_fields_docs.py
@@ -147,11 +147,12 @@ def fields_to_asciidoc(input, output, beat):
     parser.add_argument("path", help="Path to the beat folder")
     parser.add_argument("beattitle", help="The beat title")
     parser.add_argument("es_beats", help="The path to the general beats folder")
+    parser.add_argument("--output_path", default="", dest="output_path", help="Output path, if different from path")
 
     args = parser.parse_args()
 
     beat_path = args.path
-    beat_title = args.beattitle
+    beat_title = args.beattitle.title()
     es_beats = args.es_beats
 
     fields_yml = beat_path + "/fields.yml"
@@ -160,7 +161,10 @@ def fields_to_asciidoc(input, output, beat):
     with open(fields_yml) as f:
         fields = f.read()
 
-    output = open(beat_path + "/docs/fields.asciidoc", 'w')
+    if args.output_path is not "":
+        output = open(os.path.join(args.output_path, "docs/fields.asciidoc"), 'w')
+    else:
+        output = open(os.path.join(beat_path, "docs/fields.asciidoc"), 'w')
 
     try:
         fields_to_asciidoc(fields, output, beat_title)
diff --git a/libbeat/tests/system/beat/beat.py b/libbeat/tests/system/beat/beat.py
index e5a6f437c8a0..46445bf640e4 100644
--- a/libbeat/tests/system/beat/beat.py
+++ b/libbeat/tests/system/beat/beat.py
@@ -188,13 +188,16 @@ def start_beat(self,
         if output is None:
             output = self.beat_name + ".log"
 
-        args = [cmd,
-                "-systemTest",
+        args = [cmd, "-systemTest"]
+        if os.getenv("TEST_COVERAGE") == "true":
+            args += [
                 "-test.coverprofile",
                 os.path.join(self.working_dir, "coverage.cov"),
-                "-path.home", os.path.normpath(self.working_dir),
-                "-c", os.path.join(self.working_dir, config),
-                ]
+            ]
+        args += [
+            "-path.home", os.path.normpath(self.working_dir),
+            "-c", os.path.join(self.working_dir, config),
+        ]
 
         if logging_args:
             args.extend(logging_args)
@@ -492,8 +495,8 @@ def extract_fields(doc_list, name):
                 if "name" not in field:
                     continue
 
-                # Chain together names
-                if name != "":
+                # Chain together names. Names in group `base` are top-level.
+                if name != "" and name != "base":
                     newName = name + "." + field["name"]
                 else:
                     newName = field["name"]
diff --git a/libbeat/tests/system/test_base.py b/libbeat/tests/system/test_base.py
index 0a3c85850360..35d59b8e65c2 100644
--- a/libbeat/tests/system/test_base.py
+++ b/libbeat/tests/system/test_base.py
@@ -119,9 +119,12 @@ def test_version(self):
                      "-systemTest",
                      "-v",
                      "-d", "*",
-                     "-test.coverprofile",
-                     os.path.join(self.working_dir, "coverage.cov")
                      ])
+        if os.getenv("TEST_COVERAGE") == "true":
+            args.extend([
+                "-test.coverprofile",
+                os.path.join(self.working_dir, "coverage.cov"),
+            ])
 
         assert self.log_contains("error loading config file") is False
 
diff --git a/metricbeat/module/system/socket/listeners.go b/metricbeat/helper/socket/listeners.go
similarity index 100%
rename from metricbeat/module/system/socket/listeners.go
rename to metricbeat/helper/socket/listeners.go
diff --git a/metricbeat/module/system/socket/listeners_test.go b/metricbeat/helper/socket/listeners_test.go
similarity index 100%
rename from metricbeat/module/system/socket/listeners_test.go
rename to metricbeat/helper/socket/listeners_test.go
diff --git a/metricbeat/helper/socket/netlink.go b/metricbeat/helper/socket/netlink.go
new file mode 100644
index 000000000000..130c147a49c4
--- /dev/null
+++ b/metricbeat/helper/socket/netlink.go
@@ -0,0 +1,54 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+// +build linux
+
+package socket
+
+import (
+	"os"
+	"sync/atomic"
+
+	"github.com/pkg/errors"
+
+	"github.com/elastic/gosigar/sys/linux"
+)
+
+// NetlinkSession communicates with the kernel's netlink subsystem.
+type NetlinkSession struct {
+	readBuffer []byte
+	seq        uint32
+}
+
+// NewNetlinkSession creates a new netlink session.
+func NewNetlinkSession() *NetlinkSession {
+	return &NetlinkSession{
+		readBuffer: make([]byte, os.Getpagesize()),
+	}
+}
+
+// GetSocketList retrieves the current list of sockets from the kernel.
+func (session *NetlinkSession) GetSocketList() ([]*linux.InetDiagMsg, error) {
+	// Send request over netlink and parse responses.
+	req := linux.NewInetDiagReq()
+	req.Header.Seq = atomic.AddUint32(&session.seq, 1)
+	sockets, err := linux.NetlinkInetDiagWithBuf(req, session.readBuffer, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed requesting socket dump")
+	}
+	return sockets, nil
+}
diff --git a/metricbeat/module/system/socket/ptable.go b/metricbeat/helper/socket/ptable.go
similarity index 100%
rename from metricbeat/module/system/socket/ptable.go
rename to metricbeat/helper/socket/ptable.go
diff --git a/metricbeat/module/system/socket/socket.go b/metricbeat/module/system/socket/socket.go
index 7c45df08b7a1..98bfe431e132 100644
--- a/metricbeat/module/system/socket/socket.go
+++ b/metricbeat/module/system/socket/socket.go
@@ -24,17 +24,17 @@ import (
 	"net"
 	"os"
 	"path/filepath"
-	"sync/atomic"
 	"syscall"
 
+	"github.com/pkg/errors"
+
 	"github.com/elastic/beats/libbeat/common"
 	"github.com/elastic/beats/libbeat/logp"
+	sock "github.com/elastic/beats/metricbeat/helper/socket"
 	"github.com/elastic/beats/metricbeat/mb"
 	"github.com/elastic/beats/metricbeat/mb/parse"
 	"github.com/elastic/beats/metricbeat/module/system"
 	"github.com/elastic/gosigar/sys/linux"
-
-	"github.com/pkg/errors"
 )
 
 var (
@@ -50,14 +50,13 @@ func init() {
 
 type MetricSet struct {
 	mb.BaseMetricSet
-	readBuffer    []byte
-	seq           uint32
-	ptable        *ProcTable
+	netlink       *sock.NetlinkSession
+	ptable        *sock.ProcTable
 	euid          int
 	previousConns hashSet
 	currentConns  hashSet
 	reverseLookup *ReverseLookupCache
-	listeners     *ListenerTable
+	listeners     *sock.ListenerTable
 	users         UserCache
 }
 
@@ -72,7 +71,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
 		return nil, errors.New("unexpected module type")
 	}
 
-	ptable, err := NewProcTable(filepath.Join(systemModule.HostFS, "/proc"))
+	ptable, err := sock.NewProcTable(filepath.Join(systemModule.HostFS, "/proc"))
 	if err != nil {
 		return nil, err
 	}
@@ -83,12 +82,12 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
 
 	m := &MetricSet{
 		BaseMetricSet: base,
-		readBuffer:    make([]byte, os.Getpagesize()),
+		netlink:       sock.NewNetlinkSession(),
 		ptable:        ptable,
 		euid:          os.Geteuid(),
 		previousConns: hashSet{},
 		currentConns:  hashSet{},
-		listeners:     NewListenerTable(),
+		listeners:     sock.NewListenerTable(),
 		users:         NewUserCache(),
 	}
 
@@ -114,10 +113,7 @@ func (m *MetricSet) Fetch() ([]common.MapStr, error) {
 		debugf("process table refresh had failures: %v", err)
 	}
 
-	// Send request over netlink and parse responses.
-	req := linux.NewInetDiagReq()
-	req.Header.Seq = atomic.AddUint32(&m.seq, 1)
-	sockets, err := linux.NetlinkInetDiagWithBuf(req, m.readBuffer, nil)
+	sockets, err := m.netlink.GetSocketList()
 	if err != nil {
 		return nil, errors.Wrap(err, "failed requesting socket dump")
 	}
@@ -192,7 +188,7 @@ func (m *MetricSet) enrichConnectionData(c *connection) {
 		c.LocalIP, c.LocalPort, c.RemoteIP, c.RemotePort)
 
 	// Reverse DNS lookup on the remote IP.
-	if m.reverseLookup != nil && c.Direction != Listening {
+	if m.reverseLookup != nil && c.Direction != sock.Listening {
 		hostname, err := m.reverseLookup.Lookup(c.RemoteIP)
 		if err != nil {
 			c.DestHostError = err
@@ -227,7 +223,7 @@ type connection struct {
 	RemotePort int
 
 	State     linux.TCPState
-	Direction Direction
+	Direction sock.Direction
 
 	DestHost            string // Reverse lookup of dest IP.
 	DestHostETLDPlusOne string
diff --git a/metricbeat/tests/system/metricbeat.py b/metricbeat/tests/system/metricbeat.py
index e4182d44f775..8014d63bd44a 100644
--- a/metricbeat/tests/system/metricbeat.py
+++ b/metricbeat/tests/system/metricbeat.py
@@ -19,8 +19,12 @@ class BaseTest(TestCase):
 
     @classmethod
     def setUpClass(self):
-        self.beat_name = "metricbeat"
-        self.beat_path = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../"))
+        if not hasattr(self, 'beat_name'):
+            self.beat_name = "metricbeat"
+
+        if not hasattr(self, 'beat_path'):
+            self.beat_path = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../"))
+
         super(BaseTest, self).setUpClass()
 
     def de_dot(self, existing_fields):
diff --git a/x-pack/auditbeat/.gitignore b/x-pack/auditbeat/.gitignore
new file mode 100644
index 000000000000..1a3313209869
--- /dev/null
+++ b/x-pack/auditbeat/.gitignore
@@ -0,0 +1,4 @@
+/auditbeat
+/auditbeat.test
+/data
+/fields.yml
diff --git a/x-pack/auditbeat/Makefile b/x-pack/auditbeat/Makefile
new file mode 100644
index 000000000000..56633e2b3e59
--- /dev/null
+++ b/x-pack/auditbeat/Makefile
@@ -0,0 +1,3 @@
+ES_BEATS ?= ../..
+
+include $(ES_BEATS)/dev-tools/make/xpack.mk
diff --git a/x-pack/auditbeat/auditbeat.docker.yml b/x-pack/auditbeat/auditbeat.docker.yml
new file mode 100644
index 000000000000..3178297b6f73
--- /dev/null
+++ b/x-pack/auditbeat/auditbeat.docker.yml
@@ -0,0 +1,21 @@
+auditbeat.modules:
+
+- module: auditd
+  audit_rules: |
+    -w /etc/passwd -p wa -k identity
+    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+
+- module: file_integrity
+  paths:
+    - /bin
+    - /usr/bin
+    - /sbin
+    - /usr/sbin
+    - /etc
+processors:
+- add_cloud_metadata: ~
+
+output.elasticsearch:
+  hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
+  username: '${ELASTICSEARCH_USERNAME:}'
+  password: '${ELASTICSEARCH_PASSWORD:}'
diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml
new file mode 100644
index 000000000000..a0332e1e73e2
--- /dev/null
+++ b/x-pack/auditbeat/auditbeat.reference.yml
@@ -0,0 +1,1278 @@
+########################## Auditbeat Configuration #############################
+
+# This is a reference configuration file documenting all non-deprecated options
+# in comments. For a shorter configuration example that contains only the most
+# common options, please see auditbeat.yml in the same directory.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/auditbeat/index.html
+
+#============================  Config Reloading ================================
+
+# Config reloading allows to dynamically load modules. Each file which is
+# monitored must contain one or multiple modules as a list.
+auditbeat.config.modules:
+
+  # Glob pattern for configuration reloading
+  path: ${path.config}/conf.d/*.yml
+
+  # Period on which files under path should be checked for changes
+  reload.period: 10s
+
+  # Set to true to enable config reloading
+  reload.enabled: false
+
+# Maximum amount of time to randomly delay the start of a metricset. Use 0 to
+# disable startup delay.
+auditbeat.max_start_delay: 10s
+
+#==========================  Modules configuration =============================
+auditbeat.modules:
+
+# The auditd module collects events from the audit framework in the Linux
+# kernel. You need to specify audit rules for the events that you want to audit.
+- module: auditd
+  resolve_ids: true
+  failure_mode: silent
+  backlog_limit: 8196
+  rate_limit: 0
+  include_raw_message: false
+  include_warnings: false
+  # Load audit rules from separate files. Same format as audit.rules(7).
+  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
+  audit_rules: |
+    ## Define audit rules here.
+    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+    ## examples or add your own rules.
+
+    ## If you are on a 64 bit platform, everything should be running
+    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+    ## because this might be a sign of someone exploiting a hole in the 32
+    ## bit API.
+    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+    ## Executions.
+    #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+    ## External access (warning: these can be expensive to audit).
+    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
+
+    ## Identity changes.
+    #-w /etc/group -p wa -k identity
+    #-w /etc/passwd -p wa -k identity
+    #-w /etc/gshadow -p wa -k identity
+
+    ## Unauthorized access attempts.
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+
+# The file integrity module sends events when files are changed (created,
+# updated, deleted). The events contain file metadata and hashes.
+- module: file_integrity
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+
+  # List of regular expressions to filter out notifications for unwanted files.
+  # Wrap in single quotes to workaround YAML escaping rules. By default no files
+  # are ignored.
+  exclude_files:
+  - '(?i)\.sw[nop]$'
+  - '~$'
+  - '/\.git($|/)'
+
+  # List of regular expressions used to explicitly include files. When configured,
+  # Auditbeat will ignore files unless they match a pattern.
+  #include_files:
+  #- '/\.ssh($|/)'
+
+  # Scan over the configured file paths at startup and send events for new or
+  # modified files since the last time Auditbeat was running.
+  scan_at_start: true
+
+  # Average scan rate. This throttles the amount of CPU and I/O that Auditbeat
+  # consumes at startup while scanning. Default is "50 MiB".
+  scan_rate_per_sec: 50 MiB
+
+  # Limit on the size of files that will be hashed. Default is "100 MiB".
+  # Limit on the size of files that will be hashed. Default is "100 MiB".
+  max_file_size: 100 MiB
+
+  # Hash types to compute when the file changes. Supported types are
+  # blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384,
+  # sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384, sha3_512, and xxh64.
+  # Default is sha1.
+  hash_types: [sha1]
+
+  # Detect changes to files included in subdirectories. Disabled by default.
+  recursive: false
+
+# The system module collects security related information about a host.
+# All metricsets send both periodic state information (e.g. all currently
+# running processes) and real-time changes (e.g. when a new process starts
+# or stops).
+- module: system
+  metricsets:
+    - host    # General host information, e.g. uptime, IPs
+    - process # Started and stopped processes
+    - socket  # Opened and closed sockets
+    - user    # User information
+
+  # How often metricsets send state updates with the
+  # current state of the system (e.g. all currently
+  # running processes, all open sockets).
+  state.period: 12h
+
+  # The state.period can be overridden for any metricset.
+  # host.state.period: 12h
+  # process.state.period: 12h
+  # socket.state.period: 12h
+  # user.state.period: 12h
+
+  # Enabled by default. Auditbeat will read password fields in
+  # /etc/passwd and /etc/shadow and store a hash locally to
+  # detect any changes.
+  user.detect_password_changes: true
+
+#================================ General ======================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+# If this options is not defined, the hostname is used.
+#name:
+
+# The tags of the shipper are included in their own field with each
+# transaction published. Tags make it easy to group servers by different
+# logical properties.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output. Fields can be scalar values, arrays, dictionaries, or any nested
+# combination of these.
+#fields:
+#  env: staging
+
+# If this option is set to true, the custom fields are stored as top-level
+# fields in the output document instead of being grouped under a fields
+# sub-dictionary. Default is false.
+#fields_under_root: false
+
+# Internal queue configuration for buffering events to be published.
+#queue:
+  # Queue type by name (default 'mem')
+  # The memory queue will present all available events (up to the outputs
+  # bulk_max_size) to the output, the moment the output is ready to server
+  # another batch of events.
+  #mem:
+    # Max number of events the queue can buffer.
+    #events: 4096
+
+    # Hints the minimum number of events stored in the queue,
+    # before providing a batch of events to the outputs.
+    # The default value is set to 2048.
+    # A value of 0 ensures events are immediately available
+    # to be sent to the outputs.
+    #flush.min_events: 2048
+
+    # Maximum duration after which events are available to the outputs,
+    # if the number of events stored in the queue is < min_flush_events.
+    #flush.timeout: 1s
+
+  # The spool queue will store events in a local spool file, before
+  # forwarding the events to the outputs.
+  #
+  # Beta: spooling to disk is currently a beta feature. Use with care.
+  #
+  # The spool file is a circular buffer, which blocks once the file/buffer is full.
+  # Events are put into a write buffer and flushed once the write buffer
+  # is full or the flush_timeout is triggered.
+  # Once ACKed by the output, events are removed immediately from the queue,
+  # making space for new events to be persisted.
+  #spool:
+    # The file namespace configures the file path and the file creation settings.
+    # Once the file exists, the `size`, `page_size` and `prealloc` settings
+    # will have no more effect.
+    #file:
+      # Location of spool file. The default value is ${path.data}/spool.dat.
+      #path: "${path.data}/spool.dat"
+
+      # Configure file permissions if file is created. The default value is 0600.
+      #permissions: 0600
+
+      # File size hint. The spool blocks, once this limit is reached. The default value is 100 MiB.
+      #size: 100MiB
+
+      # The files page size. A file is split into multiple pages of the same size. The default value is 4KiB.
+      #page_size: 4KiB
+
+      # If prealloc is set, the required space for the file is reserved using
+      # truncate. The default value is true.
+      #prealloc: true
+
+    # Spool writer settings
+    # Events are serialized into a write buffer. The write buffer is flushed if:
+    # - The buffer limit has been reached.
+    # - The configured limit of buffered events is reached.
+    # - The flush timeout is triggered.
+    #write:
+      # Sets the write buffer size.
+      #buffer_size: 1MiB
+
+      # Maximum duration after which events are flushed, if the write buffer
+      # is not full yet. The default value is 1s.
+      #flush.timeout: 1s
+
+      # Number of maximum buffered events. The write buffer is flushed once the
+      # limit is reached.
+      #flush.events: 16384
+
+      # Configure the on-disk event encoding. The encoding can be changed
+      # between restarts.
+      # Valid encodings are: json, ubjson, and cbor.
+      #codec: cbor
+    #read:
+      # Reader flush timeout, waiting for more events to become available, so
+      # to fill a complete batch, as required by the outputs.
+      # If flush_timeout is 0, all available events are forwarded to the
+      # outputs immediately.
+      # The default value is 0s.
+      #flush.timeout: 0s
+
+# Sets the maximum number of CPUs that can be executing simultaneously. The
+# default is the number of logical CPUs available in the system.
+#max_procs:
+
+#================================ Processors ===================================
+
+# Processors are used to reduce the number of fields in the exported event or to
+# enhance the event with external metadata. This section defines a list of
+# processors that are applied one by one and the first one receives the initial
+# event:
+#
+#   event -> filter1 -> event1 -> filter2 ->event2 ...
+#
+# The supported processors are drop_fields, drop_event, include_fields, 
+# decode_json_fields, and add_cloud_metadata.
+#
+# For example, you can use the following processors to keep the fields that
+# contain CPU load percentages, but remove the fields that contain CPU ticks
+# values:
+#
+#processors:
+#- include_fields:
+#    fields: ["cpu"]
+#- drop_fields:
+#    fields: ["cpu.user", "cpu.system"]
+#
+# The following example drops the events that have the HTTP response code 200:
+#
+#processors:
+#- drop_event:
+#    when:
+#       equals:
+#           http.code: 200
+#
+# The following example renames the field a to b:
+#
+#processors:
+#- rename:
+#    fields:
+#       - from: "a"
+#         to: "b"
+#
+# The following example tokenizes the string into fields:
+#
+#processors:
+#- dissect:
+#    tokenizer: "%{key1} - %{key2}"
+#    field: "message"
+#    target_prefix: "dissect"
+#
+# The following example enriches each event with metadata from the cloud
+# provider about the host machine. It works on EC2, GCE, DigitalOcean,
+# Tencent Cloud, and Alibaba Cloud.
+#
+#processors:
+#- add_cloud_metadata: ~
+#
+# The following example enriches each event with the machine's local time zone
+# offset from UTC.
+#
+#processors:
+#- add_locale:
+#    format: offset
+#
+# The following example enriches each event with docker metadata, it matches
+# given fields to an existing container id and adds info from that container:
+#
+#processors:
+#- add_docker_metadata:
+#    host: "unix:///var/run/docker.sock"
+#    match_fields: ["system.process.cgroup.id"]
+#    match_pids: ["process.pid", "process.ppid"]
+#    match_source: true
+#    match_source_index: 4
+#    match_short_id: false
+#    cleanup_timeout: 60
+#    # To connect to Docker over TLS you must specify a client and CA certificate.
+#    #ssl:
+#    #  certificate_authority: "/etc/pki/root/ca.pem"
+#    #  certificate:           "/etc/pki/client/cert.pem"
+#    #  key:                   "/etc/pki/client/cert.key"
+#
+# The following example enriches each event with docker metadata, it matches
+# container id from log path available in `source` field (by default it expects
+# it to be /var/lib/docker/containers/*/*.log).
+#
+#processors:
+#- add_docker_metadata: ~
+#
+# The following example enriches each event with host metadata.
+#
+#processors:
+#- add_host_metadata:
+#   netinfo.enabled: false
+#
+# The following example enriches each event with process metadata using
+# process IDs included in the event.
+#
+#processors:
+#- add_process_metadata:
+#    match_pids: ["system.process.ppid"]
+#    target: system.process.parent
+#
+# The following example decodes fields containing JSON strings 
+# and replaces the strings with valid JSON objects.
+#
+#processors:
+#- decode_json_fields:
+#    fields: ["field1", "field2", ...]
+#    process_array: false
+#    max_depth: 1
+#    target: ""
+#    overwrite_keys: false
+
+#============================= Elastic Cloud ==================================
+
+# These settings simplify using auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+#================================ Outputs ======================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+#-------------------------- Elasticsearch output -------------------------------
+output.elasticsearch:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  hosts: ["localhost:9200"]
+
+  # Enabled ilm (beta) to use index lifecycle management instead daily indices.
+  #ilm.enabled: false
+  #ilm.rollover_alias: "auditbeat"
+  #ilm.pattern: "{now/d}-000001"
+
+  # Set gzip compression level.
+  #compression_level: 0
+
+  # Configure escaping html symbols in strings.
+  #escape_html: true
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the url with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Number of workers per Elasticsearch host.
+  #worker: 1
+
+  # Optional index name. The default is "auditbeat" plus date
+  # and generates [auditbeat-]YYYY.MM.DD keys.
+  # In case you modify this pattern you must update setup.template.name and setup.template.pattern accordingly.
+  #index: "auditbeat-%{[beat.version]}-%{+yyyy.MM.dd}"
+
+  # Optional ingest node pipeline. By default no pipeline will be used.
+  #pipeline: ""
+
+  # Optional HTTP Path
+  #path: "/elasticsearch"
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server url
+  #proxy_url: http://proxy:3128
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # The default is 50.
+  #bulk_max_size: 50
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Configure http request timeout before failing a request to Elasticsearch.
+  #timeout: 90
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Configure SSL verification mode. If `none` is configured, all server hosts
+  # and certificates will be accepted. In this mode, SSL based connections are
+  # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+  # `full`.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+  # 1.2 are enabled.
+  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+  # SSL configuration. By default is off.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the Certificate Key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+
+#----------------------------- Logstash output ---------------------------------
+#output.logstash:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The Logstash hosts
+  #hosts: ["localhost:5044"]
+
+  # Number of workers per Logstash host.
+  #worker: 1
+
+  # Set gzip compression level.
+  #compression_level: 3
+
+  # Configure escaping html symbols in strings.
+  #escape_html: true
+
+  # Optional maximum time to live for a connection to Logstash, after which the
+  # connection will be re-established.  A value of `0s` (the default) will
+  # disable this feature.
+  #
+  # Not yet supported for async connections (i.e. with the "pipelining" option set)
+  #ttl: 30s
+
+  # Optional load balance the events between the Logstash hosts. Default is false.
+  #loadbalance: false
+
+  # Number of batches to be sent asynchronously to Logstash while processing
+  # new batches.
+  #pipelining: 2
+
+  # If enabled only a subset of events in a batch of events is transferred per
+  # transaction.  The number of events to be sent increases up to `bulk_max_size`
+  # if no error is encountered.
+  #slow_start: false
+
+  # The number of seconds to wait before trying to reconnect to Logstash
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Logstash after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Optional index name. The default index name is set to auditbeat
+  # in all lowercase.
+  #index: 'auditbeat'
+
+  # SOCKS5 proxy server URL
+  #proxy_url: socks5://user:password@socks5-server:2233
+
+  # Resolve names locally when using a proxy server. Defaults to false.
+  #proxy_use_local_resolver: false
+
+  # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
+  #ssl.enabled: true
+
+  # Configure SSL verification mode. If `none` is configured, all server hosts
+  # and certificates will be accepted. In this mode, SSL based connections are
+  # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+  # `full`.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+  # 1.2 are enabled.
+  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+  # Optional SSL configuration options. SSL is off by default.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the Certificate Key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting
+  # and retry until all events are published.  Set max_retries to a value less
+  # than 0 to retry until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Logstash request. The
+  # default is 2048.
+  #bulk_max_size: 2048
+
+  # The number of seconds to wait for responses from the Logstash server before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+#------------------------------- Kafka output ----------------------------------
+#output.kafka:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # The list of Kafka broker addresses from where to fetch the cluster metadata.
+  # The cluster metadata contain the actual Kafka brokers events are published
+  # to.
+  #hosts: ["localhost:9092"]
+
+  # The Kafka topic used for produced events. The setting can be a format string
+  # using any event field. To set the topic from document type use `%{[type]}`.
+  #topic: beats
+
+  # The Kafka event key setting. Use format string to create unique event key.
+  # By default no event key will be generated.
+  #key: ''
+
+  # The Kafka event partitioning strategy. Default hashing strategy is `hash`
+  # using the `output.kafka.key` setting or randomly distributes events if
+  # `output.kafka.key` is not configured.
+  #partition.hash:
+    # If enabled, events will only be published to partitions with reachable
+    # leaders. Default is false.
+    #reachable_only: false
+
+    # Configure alternative event field names used to compute the hash value.
+    # If empty `output.kafka.key` setting will be used.
+    # Default value is empty list.
+    #hash: []
+
+  # Authentication details. Password is required if username is set.
+  #username: ''
+  #password: ''
+
+  # Kafka version auditbeat is assumed to run against. Defaults to the "1.0.0".
+  #version: '1.0.0'
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping html symbols in strings.
+    #escape_html: true
+
+  # Metadata update configuration. Metadata do contain leader information
+  # deciding which broker to use when publishing.
+  #metadata:
+    # Max metadata request retry attempts when cluster is in middle of leader
+    # election. Defaults to 3 retries.
+    #retry.max: 3
+
+    # Waiting time between retries during leader elections. Default is 250ms.
+    #retry.backoff: 250ms
+
+    # Refresh metadata interval. Defaults to every 10 minutes.
+    #refresh_frequency: 10m
+
+  # The number of concurrent load-balanced Kafka output workers.
+  #worker: 1
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published.  Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Kafka request. The default
+  # is 2048.
+  #bulk_max_size: 2048
+
+  # The number of seconds to wait for responses from the Kafka brokers before
+  # timing out. The default is 30s.
+  #timeout: 30s
+
+  # The maximum duration a broker will wait for number of required ACKs. The
+  # default is 10s.
+  #broker_timeout: 10s
+
+  # The number of messages buffered for each Kafka broker. The default is 256.
+  #channel_buffer_size: 256
+
+  # The keep-alive period for an active network connection. If 0s, keep-alives
+  # are disabled. The default is 0 seconds.
+  #keep_alive: 0
+
+  # Sets the output compression codec. Must be one of none, snappy and gzip. The
+  # default is gzip.
+  #compression: gzip
+
+  # Set the compression level. Currently only gzip provides a compression level
+  # between 0 and 9. The default value is chosen by the compression algorithm.
+  #compression_level: 4
+
+  # The maximum permitted size of JSON-encoded messages. Bigger messages will be
+  # dropped. The default value is 1000000 (bytes). This value should be equal to
+  # or less than the broker's message.max.bytes.
+  #max_message_bytes: 1000000
+
+  # The ACK reliability level required from broker. 0=no response, 1=wait for
+  # local commit, -1=wait for all replicas to commit. The default is 1.  Note:
+  # If set to 0, no ACKs are returned by Kafka. Messages might be lost silently
+  # on error.
+  #required_acks: 1
+
+  # The configurable ClientID used for logging, debugging, and auditing
+  # purposes.  The default is "beats".
+  #client_id: beats
+
+  # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
+  #ssl.enabled: true
+
+  # Optional SSL configuration options. SSL is off by default.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Configure SSL verification mode. If `none` is configured, all server hosts
+  # and certificates will be accepted. In this mode, SSL based connections are
+  # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+  # `full`.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+  # 1.2 are enabled.
+  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the Certificate Key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+#------------------------------- Redis output ----------------------------------
+#output.redis:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping html symbols in strings.
+    #escape_html: true
+
+  # The list of Redis servers to connect to. If load balancing is enabled, the
+  # events are distributed to the servers in the list. If one server becomes
+  # unreachable, the events are distributed to the reachable servers only.
+  #hosts: ["localhost:6379"]
+
+  # The Redis port to use if hosts does not contain a port number. The default
+  # is 6379.
+  #port: 6379
+
+  # The name of the Redis list or channel the events are published to. The
+  # default is auditbeat.
+  #key: auditbeat
+
+  # The password to authenticate with. The default is no authentication.
+  #password:
+
+  # The Redis database number where the events are published. The default is 0.
+  #db: 0
+
+  # The Redis data type to use for publishing events. If the data type is list,
+  # the Redis RPUSH command is used. If the data type is channel, the Redis
+  # PUBLISH command is used. The default value is list.
+  #datatype: list
+
+  # The number of workers to use for each host configured to publish events to
+  # Redis. Use this setting along with the loadbalance option. For example, if
+  # you have 2 hosts and 3 workers, in total 6 workers are started (3 for each
+  # host).
+  #worker: 1
+
+  # If set to true and multiple hosts or workers are configured, the output
+  # plugin load balances published events onto all Redis hosts. If set to false,
+  # the output plugin sends all events to only one host (determined at random)
+  # and will switch to another host if the currently selected one becomes
+  # unreachable. The default value is true.
+  #loadbalance: true
+
+  # The Redis connection timeout in seconds. The default is 5 seconds.
+  #timeout: 5s
+
+  # The number of times to retry publishing an event after a publishing failure.
+  # After the specified number of retries, the events are typically dropped.
+  # Some Beats, such as Filebeat, ignore the max_retries setting and retry until
+  # all events are published. Set max_retries to a value less than 0 to retry
+  # until all events are published. The default is 3.
+  #max_retries: 3
+
+  # The number of seconds to wait before trying to reconnect to Redis
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Redis after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # The maximum number of events to bulk in a single Redis request or pipeline.
+  # The default is 2048.
+  #bulk_max_size: 2048
+
+  # The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The
+  # value must be a URL with a scheme of socks5://.
+  #proxy_url:
+
+  # This option determines whether Redis hostnames are resolved locally when
+  # using a proxy. The default value is false, which means that name resolution
+  # occurs on the proxy server.
+  #proxy_use_local_resolver: false
+
+  # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
+  #ssl.enabled: true
+
+  # Configure SSL verification mode. If `none` is configured, all server hosts
+  # and certificates will be accepted. In this mode, SSL based connections are
+  # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+  # `full`.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+  # 1.2 are enabled.
+  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+  # Optional SSL configuration options. SSL is off by default.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the Certificate Key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+#------------------------------- File output -----------------------------------
+#output.file:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping html symbols in strings.
+    #escape_html: true
+
+  # Path to the directory where to save the generated files. The option is
+  # mandatory.
+  #path: "/tmp/auditbeat"
+
+  # Name of the generated files. The default is `auditbeat` and it generates
+  # files: `auditbeat`, `auditbeat.1`, `auditbeat.2`, etc.
+  #filename: auditbeat
+
+  # Maximum size in kilobytes of each file. When this size is reached, and on
+  # every auditbeat restart, the files are rotated. The default value is 10240
+  # kB.
+  #rotate_every_kb: 10000
+
+  # Maximum number of files under path. When this number of files is reached,
+  # the oldest file is deleted and the rest are shifted from last to first. The
+  # default is 7 files.
+  #number_of_files: 7
+
+  # Permissions to use for file creation. The default is 0600.
+  #permissions: 0600
+
+
+#----------------------------- Console output ---------------------------------
+#output.console:
+  # Boolean flag to enable or disable the output module.
+  #enabled: true
+
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping html symbols in strings.
+    #escape_html: true
+
+#================================= Paths ======================================
+
+# The home path for the auditbeat installation. This is the default base path
+# for all other path settings and for miscellaneous files that come with the
+# distribution (for example, the sample dashboards).
+# If not set by a CLI flag or in the configuration file, the default for the
+# home path is the location of the binary.
+#path.home:
+
+# The configuration path for the auditbeat installation. This is the default
+# base path for configuration files, including the main YAML configuration file
+# and the Elasticsearch template file. If not set by a CLI flag or in the
+# configuration file, the default for the configuration path is the home path.
+#path.config: ${path.home}
+
+# The data path for the auditbeat installation. This is the default base path
+# for all the files in which auditbeat needs to store its data. If not set by a
+# CLI flag or in the configuration file, the default for the data path is a data
+# subdirectory inside the home path.
+#path.data: ${path.home}/data
+
+# The logs path for a auditbeat installation. This is the default location for
+# the Beat's log files. If not set by a CLI flag or in the configuration file,
+# the default for the logs path is a logs subdirectory inside the home path.
+#path.logs: ${path.home}/logs
+
+#================================ Keystore ==========================================
+# Location of the Keystore containing the keys and their sensitive values.
+#keystore.path: "${path.config}/beats.keystore"
+
+#============================== Dashboards =====================================
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards are disabled by default and can be enabled either by setting the
+# options here, or by using the `-setup` CLI flag or the `setup` command.
+#setup.dashboards.enabled: false
+
+# The directory from where to read the dashboards. The default is the `kibana`
+# folder in the home path.
+#setup.dashboards.directory: ${path.home}/kibana
+
+# The URL from where to download the dashboards archive. It is used instead of
+# the directory if it has a value.
+#setup.dashboards.url:
+
+# The file archive (zip file) from where to read the dashboards. It is used instead
+# of the directory when it has a value.
+#setup.dashboards.file:
+
+# In case the archive contains the dashboards from multiple Beats, this lets you
+# select which one to load. You can load all the dashboards in the archive by
+# setting this to the empty string.
+#setup.dashboards.beat: auditbeat
+
+# The name of the Kibana index to use for setting the configuration. Default is ".kibana"
+#setup.dashboards.kibana_index: .kibana
+
+# The Elasticsearch index name. This overwrites the index name defined in the
+# dashboards and index pattern. Example: testbeat-*
+#setup.dashboards.index:
+
+# Always use the Kibana API for loading the dashboards instead of autodetecting
+# how to install the dashboards by first querying Elasticsearch.
+#setup.dashboards.always_kibana: false
+
+# If true and Kibana is not reachable at the time when dashboards are loaded,
+# it will retry to reconnect to Kibana instead of exiting with an error.
+#setup.dashboards.retry.enabled: false
+
+# Duration interval between Kibana connection retries.
+#setup.dashboards.retry.interval: 1s
+
+# Maximum number of retries before exiting with an error, 0 for unlimited retrying.
+#setup.dashboards.retry.maximum: 0
+
+
+#============================== Template =====================================
+
+# A template is used to set the mapping in Elasticsearch
+# By default template loading is enabled and the template is loaded.
+# These settings can be adjusted to load your own template or overwrite existing ones.
+
+# Set to false to disable template loading.
+#setup.template.enabled: true
+
+# Template name. By default the template name is "auditbeat-%{[beat.version]}"
+# The template name and pattern has to be set in case the elasticsearch index pattern is modified.
+#setup.template.name: "auditbeat-%{[beat.version]}"
+
+# Template pattern. By default the template pattern is "-%{[beat.version]}-*" to apply to the default index settings.
+# The first part is the version of the beat and then -* is used to match all daily indices.
+# The template name and pattern has to be set in case the elasticsearch index pattern is modified.
+#setup.template.pattern: "auditbeat-%{[beat.version]}-*"
+
+# Path to fields.yml file to generate the template
+#setup.template.fields: "${path.config}/fields.yml"
+
+# A list of fields to be added to the template and Kibana index pattern. Also
+# specify setup.template.overwrite: true to overwrite the existing template.
+# This setting is experimental.
+#setup.template.append_fields:
+#- name: field_name
+#  type: field_type
+
+# Enable json template loading. If this is enabled, the fields.yml is ignored.
+#setup.template.json.enabled: false
+
+# Path to the json template file
+#setup.template.json.path: "${path.config}/template.json"
+
+# Name under which the template is stored in Elasticsearch
+#setup.template.json.name: ""
+
+# Overwrite existing template
+#setup.template.overwrite: false
+
+# Elasticsearch template settings
+setup.template.settings:
+
+  # A dictionary of settings to place into the settings.index dictionary
+  # of the Elasticsearch template. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html
+  #index:
+    #number_of_shards: 1
+    #codec: best_compression
+    #number_of_routing_shards: 30
+
+  # A dictionary of settings for the _source field. For more details, please check
+  # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
+  #_source:
+    #enabled: false
+
+#============================== Kibana =====================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "elastic"
+  #password: "changeme"
+
+  # Optional HTTP Path
+  #path: ""
+
+  # Use SSL settings for HTTPS. Default is true.
+  #ssl.enabled: true
+
+  # Configure SSL verification mode. If `none` is configured, all server hosts
+  # and certificates will be accepted. In this mode, SSL based connections are
+  # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+  # `full`.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+  # 1.2 are enabled.
+  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+  # SSL configuration. By default is off.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the Certificate Key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE based cipher suites
+  #ssl.curve_types: []
+
+
+
+#================================ Logging ======================================
+# There are four options for the log output: file, stderr, syslog, eventlog
+# The file output is the default.
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: info
+
+# Enable debug output for selected components. To enable all selectors use ["*"]
+# Other available selectors are "beat", "publish", "service"
+# Multiple selectors can be chained.
+#logging.selectors: [ ]
+
+# Send all logging output to syslog. The default is false.
+#logging.to_syslog: false
+
+# Send all logging output to Windows Event Logs. The default is false.
+#logging.to_eventlog: false
+
+# If enabled, auditbeat periodically logs its internal metrics that have changed
+# in the last period. For each metric that changed, the delta from the value at
+# the beginning of the period is logged. Also, the total values for
+# all non-zero internal metrics are logged on shutdown. The default is true.
+#logging.metrics.enabled: true
+
+# The period after which to log the internal metrics. The default is 30s.
+#logging.metrics.period: 30s
+
+# Logging to rotating files. Set logging.to_files to false to disable logging to
+# files.
+logging.to_files: true
+logging.files:
+  # Configure the path where the logs are written. The default is the logs directory
+  # under the home path (the binary location).
+  #path: /var/log/auditbeat
+
+  # The name of the files where the logs are written to.
+  #name: auditbeat
+
+  # Configure log file size limit. If limit is reached, log file will be
+  # automatically rotated
+  #rotateeverybytes: 10485760 # = 10MB
+
+  # Number of rotated log files to keep. Oldest files will be deleted first.
+  #keepfiles: 7
+
+  # The permissions mask to apply when rotating log files. The default value is 0600.
+  # Must be a valid Unix-style file permissions mask expressed in octal notation.
+  #permissions: 0600
+
+  # Enable log file rotation on time intervals in addition to size-based rotation.
+  # Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h
+  # are boundary-aligned with minutes, hours, days, weeks, months, and years as
+  # reported by the local system clock. All other intervals are calculated from the
+  # unix epoch. Defaults to disabled.
+  #interval: 0
+
+# Set to true to log messages in json format.
+#logging.json: false
+
+
+#============================== Xpack Monitoring =====================================
+# auditbeat can export internal metrics to a central Elasticsearch monitoring cluster.
+# This requires xpack monitoring to be enabled in Elasticsearch.
+# The reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#xpack.monitoring.enabled: false
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well. Any setting that is not set is
+# automatically inherited from the Elasticsearch output configuration, so if you
+# have the Elasticsearch output configured, you can simply uncomment the
+# following line, and leave the rest commented out.
+#xpack.monitoring.elasticsearch:
+
+  # Array of hosts to connect to.
+  # Scheme and port can be left out and will be set to the default (http and 9200)
+  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
+  #hosts: ["localhost:9200"]
+
+  # Set gzip compression level.
+  #compression_level: 0
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "beats_system"
+  #password: "changeme"
+
+  # Dictionary of HTTP parameters to pass within the url with index operations.
+  #parameters:
+    #param1: value1
+    #param2: value2
+
+  # Custom HTTP headers to add to each request
+  #headers:
+  #  X-My-Header: Contents of the header
+
+  # Proxy server url
+  #proxy_url: http://proxy:3128
+
+  # The number of times a particular Elasticsearch index operation is attempted. If
+  # the indexing operation doesn't succeed after this many retries, the events are
+  # dropped. The default is 3.
+  #max_retries: 3
+
+  # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
+  # The default is 50.
+  #bulk_max_size: 50
+
+  # The number of seconds to wait before trying to reconnect to Elasticsearch
+  # after a network error. After waiting backoff.init seconds, the Beat
+  # tries to reconnect. If the attempt fails, the backoff timer is increased
+  # exponentially up to backoff.max. After a successful connection, the backoff
+  # timer is reset. The default is 1s.
+  #backoff.init: 1s
+
+  # The maximum number of seconds to wait before attempting to connect to
+  # Elasticsearch after a network error. The default is 60s.
+  #backoff.max: 60s
+
+  # Configure http request timeout before failing an request to Elasticsearch.
+  #timeout: 90
+
+  # Use SSL settings for HTTPS.
+  #ssl.enabled: true
+
+  # Configure SSL verification mode. If `none` is configured, all server hosts
+  # and certificates will be accepted. In this mode, SSL based connections are
+  # susceptible to man-in-the-middle attacks. Use only for testing. Default is
+  # `full`.
+  #ssl.verification_mode: full
+
+  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
+  # 1.2 are enabled.
+  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+
+  # SSL configuration. By default is off.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+  # Optional passphrase for decrypting the Certificate Key.
+  #ssl.key_passphrase: ''
+
+  # Configure cipher suites to be used for SSL connections
+  #ssl.cipher_suites: []
+
+  # Configure curve types for ECDHE based cipher suites
+  #ssl.curve_types: []
+
+  # Configure what types of renegotiation are supported. Valid options are
+  # never, once, and freely. Default is never.
+  #ssl.renegotiation: never
+
+  #metrics.period: 10s
+  #state.period: 1m
+
+#================================ HTTP Endpoint ======================================
+# Each beat can expose internal metrics through a HTTP endpoint. For security
+# reasons the endpoint is disabled by default. This feature is currently experimental.
+# Stats can be access through http://localhost:5066/stats . For pretty JSON output
+# append ?pretty to the URL.
+
+# Defines if the HTTP endpoint is enabled.
+#http.enabled: false
+
+# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
+#http.host: localhost
+
+# Port on which the HTTP endpoint will bind. Default is 5066.
+#http.port: 5066
+
+#============================= Process Security ================================
+
+# Enable or disable seccomp system call filtering on Linux. Default is enabled.
+#seccomp.enabled: true
diff --git a/x-pack/auditbeat/auditbeat.yml b/x-pack/auditbeat/auditbeat.yml
new file mode 100644
index 000000000000..56e0f6c14638
--- /dev/null
+++ b/x-pack/auditbeat/auditbeat.yml
@@ -0,0 +1,195 @@
+###################### Auditbeat Configuration Example #########################
+
+# This is an example configuration file highlighting only the most common
+# options. The auditbeat.reference.yml file from the same directory contains all
+# the supported options with more comments. You can use it as a reference.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/auditbeat/index.html
+
+#==========================  Modules configuration =============================
+auditbeat.modules:
+
+- module: auditd
+  # Load audit rules from separate files. Same format as audit.rules(7).
+  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
+  audit_rules: |
+    ## Define audit rules here.
+    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+    ## examples or add your own rules.
+
+    ## If you are on a 64 bit platform, everything should be running
+    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+    ## because this might be a sign of someone exploiting a hole in the 32
+    ## bit API.
+    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+    ## Executions.
+    #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+    ## External access (warning: these can be expensive to audit).
+    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
+
+    ## Identity changes.
+    #-w /etc/group -p wa -k identity
+    #-w /etc/passwd -p wa -k identity
+    #-w /etc/gshadow -p wa -k identity
+
+    ## Unauthorized access attempts.
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+
+- module: file_integrity
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+
+- module: system
+  metricsets:
+    - host    # General host information, e.g. uptime, IPs
+    - process # Started and stopped processes
+    - socket  # Opened and closed sockets
+    - user    # User information
+
+  # How often metricsets send state updates with the
+  # current state of the system (e.g. all currently
+  # running processes, all open sockets).
+  state.period: 12h
+
+  # Enabled by default. Auditbeat will read password fields in
+  # /etc/passwd and /etc/shadow and store a hash locally to
+  # detect any changes.
+  user.detect_password_changes: true
+
+#==================== Elasticsearch template setting ==========================
+setup.template.settings:
+  index.number_of_shards: 3
+  #index.codec: best_compression
+  #_source.enabled: false
+
+#================================ General =====================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+#name:
+
+# The tags of the shipper are included in their own field with each
+# transaction published.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output.
+#fields:
+#  env: staging
+
+
+#============================== Dashboards =====================================
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards is disabled by default and can be enabled either by setting the
+# options here, or by using the `-setup` CLI flag or the `setup` command.
+#setup.dashboards.enabled: false
+
+# The URL from where to download the dashboards archive. By default this URL
+# has a value which is computed based on the Beat name and version. For released
+# versions, this URL points to the dashboard archive on the artifacts.elastic.co
+# website.
+#setup.dashboards.url:
+
+#============================== Kibana =====================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+  # Kibana Host
+  # Scheme and port can be left out and will be set to the default (http and 5601)
+  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
+  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+  #host: "localhost:5601"
+
+  # Kibana Space ID
+  # ID of the Kibana Space into which the dashboards should be loaded. By default,
+  # the Default Space will be used.
+  #space.id:
+
+#============================= Elastic Cloud ==================================
+
+# These settings simplify using auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+#================================ Outputs =====================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+#-------------------------- Elasticsearch output ------------------------------
+output.elasticsearch:
+  # Array of hosts to connect to.
+  hosts: ["localhost:9200"]
+
+  # Enabled ilm (beta) to use index lifecycle management instead daily indices.
+  #ilm.enabled: false
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  #username: "elastic"
+  #password: "changeme"
+
+#----------------------------- Logstash output --------------------------------
+#output.logstash:
+  # The Logstash hosts
+  #hosts: ["localhost:5044"]
+
+  # Optional SSL. By default is off.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+
+#================================ Processors =====================================
+
+# Configure processors to enhance or manipulate events generated by the beat.
+
+processors:
+  - add_host_metadata: ~
+  - add_cloud_metadata: ~
+
+#================================ Logging =====================================
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: debug
+
+# At debug level, you can selectively enable logging only for some components.
+# To enable all selectors use ["*"]. Examples of other selectors are "beat",
+# "publish", "service".
+#logging.selectors: ["*"]
+
+#============================== Xpack Monitoring ===============================
+# auditbeat can export internal metrics to a central Elasticsearch monitoring
+# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
+# reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#xpack.monitoring.enabled: false
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well. Any setting that is not set is
+# automatically inherited from the Elasticsearch output configuration, so if you
+# have the Elasticsearch output configured, you can simply uncomment the
+# following line.
+#xpack.monitoring.elasticsearch:
diff --git a/x-pack/auditbeat/cache/cache.go b/x-pack/auditbeat/cache/cache.go
new file mode 100644
index 000000000000..6f213559b184
--- /dev/null
+++ b/x-pack/auditbeat/cache/cache.go
@@ -0,0 +1,59 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package cache
+
+// Cache is just a map being used as a cache.
+type Cache struct {
+	hashMap map[uint64]Cacheable
+}
+
+// Cacheable is the interface items stored in Cache need to implement.
+type Cacheable interface {
+	Hash() uint64
+}
+
+// New creates a new cache.
+func New() *Cache {
+	return &Cache{
+		hashMap: make(map[uint64]Cacheable),
+	}
+}
+
+// IsEmpty checks if the cache is empty.
+func (cache *Cache) IsEmpty() bool {
+	return len(cache.hashMap) == 0
+}
+
+// DiffAndUpdateCache takes a list of new items to cache, compares them to the current
+// cache contents, and returns both items new to the cache and items that are in the cache
+// but missing in the new data.
+func (cache *Cache) DiffAndUpdateCache(current []Cacheable) (new, missing []interface{}) {
+	// Create hashmap of incoming Cacheables to avoid calling Hash() on each one many times
+	currentMap := make(map[uint64]Cacheable, len(current))
+
+	for _, currentValue := range current {
+		currentMap[currentValue.Hash()] = currentValue
+	}
+
+	// Check for and delete missing - what is no longer in current that was in the cache
+	for cacheHash, cacheValue := range cache.hashMap {
+		_, found := currentMap[cacheHash]
+
+		if !found {
+			missing = append(missing, cacheValue)
+			delete(cache.hashMap, cacheHash)
+		}
+	}
+
+	// Check for new - what is in current but not in cache
+	for currentHash, currentValue := range currentMap {
+		if _, contains := cache.hashMap[currentHash]; !contains {
+			new = append(new, currentValue)
+			cache.hashMap[currentHash] = currentValue
+		}
+	}
+
+	return
+}
diff --git a/x-pack/auditbeat/cache/cache_test.go b/x-pack/auditbeat/cache/cache_test.go
new file mode 100644
index 000000000000..5e921a134b58
--- /dev/null
+++ b/x-pack/auditbeat/cache/cache_test.go
@@ -0,0 +1,55 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package cache
+
+import (
+	"testing"
+
+	"github.com/OneOfOne/xxhash"
+	"github.com/stretchr/testify/assert"
+)
+
+type CacheTestItem struct {
+	s string
+}
+
+func (item CacheTestItem) Hash() uint64 {
+	h := xxhash.New64()
+	h.WriteString(item.s)
+	return h.Sum64()
+}
+
+func TestCache(t *testing.T) {
+	c := New()
+
+	assert.True(t, c.IsEmpty())
+
+	oldItems := []Cacheable{
+		CacheTestItem{"item1"},
+		CacheTestItem{"item2"},
+	}
+
+	newItems := []Cacheable{
+		CacheTestItem{"item1"},
+		CacheTestItem{"item3"},
+	}
+
+	new, missing := c.DiffAndUpdateCache(oldItems)
+
+	assert.Equal(t, 2, len(new))
+	assert.Equal(t, 0, len(missing))
+	assert.False(t, c.IsEmpty())
+
+	new, missing = c.DiffAndUpdateCache(newItems)
+
+	assert.Equal(t, 1, len(new))
+	assert.Equal(t, 1, len(missing))
+
+	new, missing = c.DiffAndUpdateCache([]Cacheable{})
+
+	assert.Equal(t, 0, len(new))
+	assert.Equal(t, 2, len(missing))
+	assert.True(t, c.IsEmpty())
+}
diff --git a/x-pack/auditbeat/cmd/root.go b/x-pack/auditbeat/cmd/root.go
index 682c61362b40..fbb38140e3f6 100644
--- a/x-pack/auditbeat/cmd/root.go
+++ b/x-pack/auditbeat/cmd/root.go
@@ -7,9 +7,12 @@ package cmd
 import (
 	"github.com/elastic/beats/auditbeat/cmd"
 	xpackcmd "github.com/elastic/beats/x-pack/libbeat/cmd"
+
+	// Register Auditbeat x-pack modules.
+	_ "github.com/elastic/beats/x-pack/auditbeat/include"
 )
 
-// RootCmd to handle beats cli
+// RootCmd to handle beats CLI.
 var RootCmd = cmd.RootCmd
 
 func init() {
diff --git a/x-pack/auditbeat/docker-compose.yml b/x-pack/auditbeat/docker-compose.yml
new file mode 100644
index 000000000000..10b98ed7a305
--- /dev/null
+++ b/x-pack/auditbeat/docker-compose.yml
@@ -0,0 +1,13 @@
+version: '2.1'
+services:
+  beat:
+    build: ../../auditbeat
+    working_dir: /go/src/github.com/elastic/beats/x-pack/auditbeat
+    volumes:
+      - ${PWD}/../..:/go/src/github.com/elastic/beats/
+    command: make
+    privileged: true
+    pid: host
+    cap_add:
+      - AUDIT_CONTROL
+      - AUDIT_READ
diff --git a/x-pack/auditbeat/docs/modules/system.asciidoc b/x-pack/auditbeat/docs/modules/system.asciidoc
new file mode 100644
index 000000000000..abbd8844b86c
--- /dev/null
+++ b/x-pack/auditbeat/docs/modules/system.asciidoc
@@ -0,0 +1,148 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[id="{beatname_lc}-module-system"]
+[role="xpack"]
+
+== System Module
+
+experimental[]
+
+The `system` module collects various security related information about
+a system. All metricsets send both periodic state information (e.g. all currently
+running processes) and real-time changes (e.g. when a new process starts
+or stops).
+
+The module is fully implemented for Linux, and partially implemented
+for macOS (Darwin).
+
+[float]
+=== How it works
+
+Each metricset sends two kinds of information: state and events.
+
+State information is sent periodically and on startup (for some metricsets).
+A state update will consist of one event per object that is currently
+active on the system (e.g. a process). All events belonging to the same state
+update will share the same UUID in `event.id`.
+
+The frequency of state updates can be controlled for all metricsets using the
+`state.period` configuration option. Overrides are available per metricset.
+The default is `12h`.
+
+Event information is sent as the events occur (e.g. a process starts or stops).
+All metricsets are currently using a poll model to retrieve their data.
+The frequency of these polls is controlled using the `period` configuration
+parameter.
+
+[float]
+=== Configuration options
+
+This module has some configuration options for controlling its behavior. The
+following example shows all configuration options with their default values for
+Linux.
+
+NOTE: It is recommended to configure some metricsets separately. See below for a
+sample suggested configuration.
+
+[source,yaml]
+----
+- module: system
+  metricsets:
+    - host
+    - process
+    - socket
+    - user
+  period: 10s
+  state.period: 12h
+  user.detect_password_changes: true
+----
+
+*`period`*:: The frequency at which the metricsets check for changes. For most
+metricsets - esp. `process` and `socket` - a shorter period is recommended.
+
+*`state.period`*:: The frequency at which the metricsets send full state information.
+This option can be overridden per metricset using `{metricset}.state.period`.
+
+*`user.detect_password_changes`*:: If the `user` metricset is configured and
+this option is set to `true`, Auditbeat will read password information in `/etc/passwd`
+and `/etc/shadow` to detect password changes. A hash will be kept locally in
+the `beat.db` file to detect changes between Auditbeat restarts. The `beat.db` file
+should be readable only by the root user and be treated similar to the shadow file
+itself.
+
+[float]
+=== Suggested configuration
+
+Processes and sockets can be short-lived, so the chance of missing an update
+increases if the polling interval is too large.
+
+On the other hand, host and user information is unlikely to change frequently,
+so a longer polling interval can be used.
+
+[source,yaml]
+----
+- module: system
+  metricsets:
+    - host
+    - user
+  period: 1m
+  user.detect_password_changes: true
+
+- module: system
+    - process
+    - socket
+  period: 1s
+----
+
+
+[float]
+=== Example configuration
+
+The System module supports the common configuration options that are
+described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
+is an example configuration:
+
+[source,yaml]
+----
+auditbeat.modules:
+- module: system
+  metricsets:
+    - host    # General host information, e.g. uptime, IPs
+    - process # Started and stopped processes
+    - socket  # Opened and closed sockets
+    - user    # User information
+
+  # How often metricsets send state updates with the
+  # current state of the system (e.g. all currently
+  # running processes, all open sockets).
+  state.period: 12h
+
+  # Enabled by default. Auditbeat will read password fields in
+  # /etc/passwd and /etc/shadow and store a hash locally to
+  # detect any changes.
+  user.detect_password_changes: true
+----
+
+[float]
+=== Metricsets
+
+The following metricsets are available:
+
+* <<{beatname_lc}-metricset-system-host,host>>
+
+* <<{beatname_lc}-metricset-system-process,process>>
+
+* <<{beatname_lc}-metricset-system-socket,socket>>
+
+* <<{beatname_lc}-metricset-system-user,user>>
+
+include::system/host.asciidoc[]
+
+include::system/process.asciidoc[]
+
+include::system/socket.asciidoc[]
+
+include::system/user.asciidoc[]
+
diff --git a/x-pack/auditbeat/docs/modules/system/host.asciidoc b/x-pack/auditbeat/docs/modules/system/host.asciidoc
new file mode 100644
index 000000000000..484702d801b0
--- /dev/null
+++ b/x-pack/auditbeat/docs/modules/system/host.asciidoc
@@ -0,0 +1,21 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[id="{beatname_lc}-metricset-system-host"]
+=== System host metricset
+
+include::../../../module/system/host/_meta/docs.asciidoc[]
+
+
+==== Fields
+
+For a description of each field in the metricset, see the
+<<exported-fields-system,exported fields>> section.
+
+Here is an example document generated by this metricset:
+
+[source,json]
+----
+include::../../../module/system/host/_meta/data.json[]
+----
diff --git a/x-pack/auditbeat/docs/modules/system/process.asciidoc b/x-pack/auditbeat/docs/modules/system/process.asciidoc
new file mode 100644
index 000000000000..605d20d055ca
--- /dev/null
+++ b/x-pack/auditbeat/docs/modules/system/process.asciidoc
@@ -0,0 +1,21 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[id="{beatname_lc}-metricset-system-process"]
+=== System process metricset
+
+include::../../../module/system/process/_meta/docs.asciidoc[]
+
+
+==== Fields
+
+For a description of each field in the metricset, see the
+<<exported-fields-system,exported fields>> section.
+
+Here is an example document generated by this metricset:
+
+[source,json]
+----
+include::../../../module/system/process/_meta/data.json[]
+----
diff --git a/x-pack/auditbeat/docs/modules/system/socket.asciidoc b/x-pack/auditbeat/docs/modules/system/socket.asciidoc
new file mode 100644
index 000000000000..9c63d7bbb2d4
--- /dev/null
+++ b/x-pack/auditbeat/docs/modules/system/socket.asciidoc
@@ -0,0 +1,21 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[id="{beatname_lc}-metricset-system-socket"]
+=== System socket metricset
+
+include::../../../module/system/socket/_meta/docs.asciidoc[]
+
+
+==== Fields
+
+For a description of each field in the metricset, see the
+<<exported-fields-system,exported fields>> section.
+
+Here is an example document generated by this metricset:
+
+[source,json]
+----
+include::../../../module/system/socket/_meta/data.json[]
+----
diff --git a/x-pack/auditbeat/docs/modules/system/user.asciidoc b/x-pack/auditbeat/docs/modules/system/user.asciidoc
new file mode 100644
index 000000000000..6d64e9884885
--- /dev/null
+++ b/x-pack/auditbeat/docs/modules/system/user.asciidoc
@@ -0,0 +1,21 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[id="{beatname_lc}-metricset-system-user"]
+=== System user metricset
+
+include::../../../module/system/user/_meta/docs.asciidoc[]
+
+
+==== Fields
+
+For a description of each field in the metricset, see the
+<<exported-fields-system,exported fields>> section.
+
+Here is an example document generated by this metricset:
+
+[source,json]
+----
+include::../../../module/system/user/_meta/data.json[]
+----
diff --git a/x-pack/auditbeat/include/fields.go b/x-pack/auditbeat/include/fields.go
new file mode 100644
index 000000000000..faa71fae62d1
--- /dev/null
+++ b/x-pack/auditbeat/include/fields.go
@@ -0,0 +1,22 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT.
+
+package include
+
+import (
+	"github.com/elastic/beats/libbeat/asset"
+)
+
+func init() {
+	if err := asset.SetFields("auditbeat", "fields.yml", Asset); err != nil {
+		panic(err)
+	}
+}
+
+// Asset returns asset data
+func Asset() string {
+	return "eJzsvXtzG7eSKP5/PgVKp+pney9FPSw7jm7tvavYTqJKHGsje3P2VSI4A5KIZoAJgBHN7N3v/is0HgPMYMgZSso5WyWlypHImUYDaDT63YfolmzOEcnkVwgpqgpyjt6/vf4KoZzITNBKUc7O0f/5CiGkv0ALSopcTr9C9rdz+Ab+OUQMl+Qc4SVhCj7xIC+Cj5aC19U5OrV/JsbRP59WxACy46CMM4UpQ2pFUI4VRnjOawV/Sr5QaywIIkxRtZkgukCYbSZIrbBCGS8Kkik5QTlR5hcuEJ9LIu6IROSOMCURZwijFZcKvlX4lkhUEixrQcr4gSl6/wWXVUEkoiwr6pygbwlWcmpmKVGJNwgXkiNRM/2aHUrIKawgzGr6D25ecoWLAs0JqnhVF1iRHK2pWmlkMS0k4guYo1kLUTNG2VJD1R9qdILJCLReEUHgK5gWWuGqIozkMKcVCWeE1ljCPNnULvqCc8W4IuE2uKmeo0szZIYl0TjBlNGCC1TwpZw0OE41ESAq0YIWZE6wmqLvuEAXVx8miCr9hVoRDz+elt1eXFVHekI0I9OAEChbcFFiTSko50QixhXKVpgtCaILDxKIg0ok9TtqJXi9XKHfa1LrEeRGKlJKVNBbgn7Ei1s8Qb+QnBqiqATPiJTBgx6qrLMVwhL9xJdSYblCZk7oGhbeLaHaVOTcULhb1PYpCU+KJgrKmf8coYLckeIcZVyQ4FMD9pZs1lzkwec9Z0f//IsBHZHPNMYCIWJ29xy9nh5Pjw9FdprGU//7GEj+rEllK4aaEVCptxMDFvZIY6ZPzJLeEYYUR5jZ183T9usVKapFXYS0YchcuIkjteboO0uniDKpMMuIRJqXtI6a1IPr8xbBmtdKc4W6xAwJgnM8LwiSpMLCkCmViBGS6wPI0HpFs1V3uAigI96Ml3rwheBlYk0uF4hx5A4aLIM5ge4jvlCEoYIsFCJlpTbT1KYvOE9vt97Jx9juT5tqwHa7464HQFLhjUS4WOv/+X3ALEdyxesib8hgvgn4ZC1JPo2XjHnW5XegeX4NsOwwc9I8AnycLjShROD6iSYimBJnK8pIevktiPQe0PwxduAzo7/XBNFc35QLSoTZDn28YB2e0wXijCDyhUolXyT2571DXzN1cwnA+2u3G8DyaZ6c8ht8tnh1fJynp0yqFSmJwMVNavLkiyIsJ/n9FuC9G+M+a2BYUo6Yvo6KYmMvIYlwJriUSBCpsNCChuYPM0PqNJ/5W2vb4iy6AtUcSxLLU982n1hx6mS3OKXBIEmUE6X0uSqcGGKYk6ZhS7+KV2bp4QqWxD2oH8l4WWp5yExXQ9FbAbKKEaeG3YfhHA/+SdFSr1tZHXS2OMdqN0MS5PeaCpKfIyVqklrhg9Pjk9eHx68OT19+On5zfvzq/OXZ9M2rl/92MIx43mFFjjSaWs5igZjFBV1SpmW3BLV8Z2QkJ2gqe59ZOTYNUMtmS8KI0DAnmt9FILXgA29Q86i+ehIj/2JXxCw6XHx6r8It6vJ+vJR7c55mpf/9Pw4qwfM60+v4HwcT9B8HhN2d/sfBfw5c65+oFm0XbhAJLF3f9QovEcHZykyjZxYFnpNi6Dz4/DeSqdQ0/ouwu3PUTGSiRdOCZthgvOD8cI7Ffw+b0Y9kc3SHi5qgClPRXn/989bILW6mOM9RSbQ8EAi+irv9Q9fmBgQp2CpHjEhFYloxs9PaSVEgGN+cYam4Jg0s3RJvY/aznGe3RMzg5p3dvpEzu8Q9618SKfFyqBChyJfk8h/8QIqCo1+5KPKBZNM5bMThYg+B5336K/2k/TolZTHE1YoIvSEgPCThxXuWcZZhRVjMsBDK6WJBhD7adgsafqv0QV4IQooNkgSLbKWlyKkW8sq6ULQqYlB2fGkuKJD7Ng6NjJdzqvU9yhSHW6w7PbdHWUE7evrb8LNhivqFBaR5Wk4WMDo2K0UZVRQrDjcsRoyoNRe3eo0YgfNkZHGzVYIsschB9dIqGGdyEjxp9LM5zakwH+ACLQq+RoJkmj0YJfPT2ysLzojDDWYddPQH+vEAGVAtJGG5efz6X39GFc5uiXouXxj4hhwqwRXPeNEZxHBsLRC0hhNwORF95JyO6xZDCcwkBgSm6JqXxKuomurgIiaiRAfuiuHiQNOZIAsiouFZazrSqM72a3t5mz2cE29dCIwoMCzSqLCl28EGeIiz4byWWEK5oJY1TL8xZVCmUfrNsE9j2LCmCmtIQgkwzTpq3tYA09RiduQQ2InnhPtp37QayJ+iB7cwn8srzbMFkd5qY9avn9XrE8qFP+fo8uruTH9weXX32sEifUy24kINnEHB2XLYHK64UFux9yweZ4+hoXy4eDtoER0aOS8xfRQLiqVLM0Br9L+gD0QJmskOPvONIkMFj9au+Hvv5M3ZMBS/1YMZQ9dC8DI8slpS0qc6ME91CQjO0r2xPR1IWWa0Qeh2UF2SUP+2t9X30Yet62oHNt8T7i3LmKEMC7EJ7coYyYpkdEEzVHAj8CFBDB8yFidgPrGoJTSesZ2SCHqnWZeeL2aaRcCo087yhmwLBawr+MhLtxahaPD01nnohN9UnLYQ3rI+CP3E2ZKqOjfmlgIr+CO2qngiePZf6KDg7OAcHX79cvr65OzNy+MJOiiwOjhHZ6+mr45ffXPyBv33s9R8tExGGWHqpmVo3DWr7nneMafQ4OhH7ZnSz1yoFbooiaAZTqNdMyU2j470WzMOjNqD61vMcJ5EUpAl5ezRcfwFhtmG4j/XZE6y5DpS9ScsIlVbV/ADZ0oQXGzbaCr5TcbzP2WzL68/Ij1W34ZfbNnsPwNPu+E70Tz857cpTPu2O2Hl2xvFz5KIQ6eSBE8abcQx0QmylmAjUvIFWgrM6gILTTFWuRLEXAvTr7rbZcye3vpuuAsV5jLJCFNEWE1hUXAuEKvLORHgpARbkJPJZQu0QbFA1Wojqf7FeTczR8qyg87PHOzm+vFiY5RSyhCuFS/h5loS7ubds2NzLhVnh7k9qY2yyOu8rSs2Hw1TFb8z921wjRoJgNfgoKRsIbBUos5UHXoxm4WxtsfYM7LTcbmwwpqx18vQs4MZev/21PhR9S23ICpbEWn2Du5sGgxv3MMNzvqijw0KkWOaSm//j5HwAEXNrGNZkJIr7y9AvFaS5iQYK40dRtZPGoIMXanwsqW+2P5hwDagwLRhhw89tHaAeOHG23crwe9oTkRX2EwceU+NJDu9nxAfXfgwY4eId+OHRjGSnU7QMiMTxEXMaOiSKlzwjOC2LuDDHu4wLfCcFvo6+4OzhPVr21RreUiwVIcn2f1mfBGggTQamhSMtQlIEmi92cyeyZibZNAMdhqD/cyGTcDeLPtg7Zxx03s6kDzq9PDk9OXZq9dfv/nmGM+znCyOh03i0mKCLt858oMpRA7BfvzTDveHcYF51ILraghy7tu0d3if1VWn05LktC6HIf7BcafAjTwAb5yB/PZgNPH69euvv/76zZs333zzzTDEPzVc3OACMTtiiRn9w8YJ5N6CbP2Sm8ZkHF/UWgigEHuEsDEcHSrCMFOIsDsqOCvTFqfmQrz49dojQvMJ+p7zZUHMfY4+/vI9usxNiJQxfoPLOALVuE5TZmVzwXhO76SF1sfDJAb/VmxltLbAjnMksGY65b2NDjJmXmsSlrwWGRBTAKbl8FyRotJisxFbzI05xzIgGj+GdHr+RjMqRRttY6Rp0r79WCzgFwMelZjhpb7Rgcf6aSTd08YD1MO3HjNYwaOFaNtH5ccv8fJxmWYoR8Bo3oRgUFtjieY1LZQXjnqQVHj5WDg2h8ViiPvuycdcqQaLRtvuINDnn+1FoeOjNR/c7HP/weJ03JfeoEykoiy0r1kO9q7zxTAeFrw3wA0TDA96qgdjjLVH1veSALrdAcNCD4zhek0oL/q7dJ4ES/E/1YPSP4U/342yG5fH86WE5Po/zaESnkjnpoAD9HfsVdmCcwffJ9fKk2ulO6sn18qTa2XoIj65Vp5cK0+ulX1dK8QLPVH+HRqsYHwgCh+GN6O/XhXXwP5GyUm98djbwvPfXrtxzQ6acOiMw+wkUnyKZiSTU/vQzGQGiTjQWV+qZS2ViZCEbeoLe9Y/v64IQ7/XRGwg8s0EtXuFgrKcZkSiw0Nrjy7xxiGkF1gWdLlSxSY+PD7cM5gRwIBZGTQLLbdRpsjSZAtJhPPfNNpGYosAymxFSuzXxt6zvVMCi2MtTMCpfYdKdAJpXnOi8AlKGnmCBxqgnlCF4C2r3vvgo8F5nY1pLYO0qUoQkF4BPqgrmG3QLWX5VDMaPdPSRIqaB9QqcKGZDEe9NQUxDjK9iS6pE8ItTehuOzWSKkmKRZALwQz8aDWH+7f+rHydhc3k7OL6QNHX206nHrMnYLq50PNHyR0zY2vojqsbu2V3JTy53nXCm9/f7ZOGbOglZYDWxEO+qB4bdMGXyFipBc0iqpuiC/g2Dpl2io+jST3BIAtY8pKolZk1blJ7p+inJt4duJ7LSobgYVoSfQs7V5r+VINo3vbJzHwRRs47INglxSLIaXJ+c+sLb4K6jdaL5sREcDtlFDtjk1bsQrUUPAzJmPA5UWtC9Bg2NlCzc+zChs0ANrbaJDZnBZd6JhduqXcvq7MacUG00AB6SAGwsCJLbv6M0r81EukFTedUR+sakkCztCUpudggzf40AAcob+Wi39UFI8J4dGmTlW4fkxlmeqKQmb7fRf+orOvynd56b/D0/HeP/EB9I3QxfRirtT7nGn50s/al/i3pHTjg2od+rc+l805GSTsOYgTLXT0TsMpqAPb0BOKb06bNdRbi1nj0IqCaP83gidkEzaTCiuhfcIFFOZuiX7HQBwDS+Rc1xNl46YQvtLQyQetY9KgKDEYkGzihhWebm4WzjFQKcp5tDIW5nZyEM0FVQbAEhhmBBCt0huu2sOwJAfDuuWDMCd08yiVj+IQdoW/7vciwosuVzURI3wA9O3cZ0wGVhhFB2oPe9hVmdg+nJjNkNnHxPJIwaZPgG2UEx2Rl0W/w9LIsdpkhA8gg3jDyAGQQQawlSZBBihZqrWuCpxJ4bJoqzMwegyYgId3cTBmuFHBem2u+lUl43dMmAzX0QVlMDJ4AmoO/wrEF0lKD29pZcL3AgQdef4jzXJ91e2EfwoVN8lm8lbMFLchhJoi+PmcmScikJVLZZDS7+9POlOqxSlC4k+cV9qjCUup1PTTp0OmN4rXK+ON5H/Vs7BC7WPll8HWwW5jZ7Z4EJCzjML9mhNiYoo+ly+Vq7n/zsN0pWWd6c2wm5QLTohYkZswRzH4mPeZExiB7mfTAE2nnkN7gxyoe8QsBCdAI3nZV6p7MzSszI3zHIbDGRzg0edCaYMGM1KdC8bwuHr3miRnF2qoGVf4wpQdCZhK9EUCV3kZlqjRw4WvXJI9wuZG/F+nF0KhJMtRTuvdq2GH6zBmcaaI2FsaZfXaGnmt2JolCR1bKlkS90KsSz17rAbFBpZ7rt7RwbpYLOHF0ysNlNuK+XmxjVWnZe2wyNWUNEqYOEpii/Ed2vzUBG6ynbbN5JAH1nDBJ7oigaqgE1OdhPPh6YE71tR2vdaU5NFrCza8ra/RNx6/5t6yoUBJwETLN4YKYN68F+txrvT/PJKorpHiL60b3k+aIJb4lCHQqOxwlrnAFk1Qq0CqNnW9rMQSbdFvsTfl/QZ81EamaYUUgL5hKX3yImgpWcsXXzASYZarYoA1Rmlz/H8q5KfTAxW0EUssPmrdLtCZFEX11KdH/95eT07P/7QLcvHXNR5T8PygawcWtRgROFFgyGhtZBNBEJdLsViap9OCaVOjkG3T85vz09fnJsYnHfPv+u/Njg8c1yWq93eavaN/0zmkpxIh2wjxxMrUvnhwfJ99Zc1G6C2hRa1FFKl5VJHevmf9Lkf3jyfFU/3fSgpBL9Y+n05Pp6fRUVuofT05fng48CAj9gtdgL/NFAPgCfAfCk/9nG8aZk5IzqQRWxhBk7LxUpbQKy9bN7WSpgrKcfCHGlp3z7CYIUs+p1NufG46FmX58TloQTSUBkpsaNNTXzBKaGRHvN5/dGPvMLNxeGPscLXARCe0NGuF3nUOzwnJ1L/Guoa4m+Dr128W3b98N3rkfsFyh5xURK1xJqFkHVdwWlC2JqARl6oXeTIHXdh8U18sFMlSL4aDBm+sv0Fq0owoeJtbonQUc8WDNIBhmXJKMszzlHri0dXqmoCIAjZm/CcuBxG6Z5knArYxu0FTbansmHMvOiOfZgAkztGtGaEJhu/IiLcngbIm9NAJ/tJpJBLUWo8I7zyTyZYiaGoPWYBffOhbtWPMvBMH5Bj0n0+VU61C4LhS63khNJB6wfGHusgger2xVC4i6XlOZkmsvGrnej29GB85wjrA+5pyB+fLyncXj4H0teEWOLkqpiMhxefAiVgnxfC7InbGnuleuPx28ABMtQz/8cF6WzdVMceGeOjx+dX58fNCukeVNNUbJHEj1rSJPW7bUKsMGeicBK1lMyT7cJ1E3m64lcSoVZZm1YP9T8J2tERJ85AbvSCRWCYfb0z48ddVpAFVpqg82VOE4dFpusgU5WsgY9lNQZiTN1sSpqQwVVjyMYM43QaE7QQytg6spw8UUzZp5zoxnIazB6r+Lt+aLEjhT7noJMZy09s0j66dAw0pWzf7YWnqZqdFXVVqO4uBw0DewMcpoBch4+BKb0+FZzSMJfEOPhh6g4Y5tzLtEuYPWXBFCWL948/X6+7WfhLNouFZT1bCrE2g2O4KFjj1sho3vPGrW5KQZR3KRcKbonZb+9TotqJDK1a7tmxgZZfMfOy19S+2cFAwVTslPI4Kop1Tg3TMSVN7eyBYL3MYYFwXHAz20v1B5iwC2KWdLeUdDs7xbWsEcSV6AucdVOnQ/nyVBG14LWxjomfTakBUJ9GnbOcUbxkU5YgNHzPVnsFXSP0gO4+2Y9sS7ywqQ2o81Dzk5Pt5ScbbElJlQH1NFVi8H6KNgrAUrvb6AbeEkY/yTki5bt0GDnIRKfgBmjU3RE0kIwtbsClMxaxtUVrTloBIO7gUtWkUgnTPburu/ax7oW8cLgNL2mCJrGol9WOB0lmiuRTzHCq0jV38OwTbOLQn2DcB8Cmi4MnTuksNS8ow21a5Bb3Slu6I6U2bRjqzNxPlQgYgnSK24JLZAn7FWw2CXTh5HHzijisP18O/fXX74T1fMD+xhNrUZqntB+Igx9Tp7ajc5Ay8WxFwW+vH2HMJ6kNboM8oj2wSQq0aB6jswaUk42uYrrJHiNvm7iA9rU+9RLIm6eagxPwE4mAKIHXJTFpTdyuTYMEAUY3aPkUPmALvpoXeOOBxwe63iouBrRLDc6DVSBEhlvrHE5kAE1g+vnVZWSWsvaGj/vsd8YA7gTAYT5wTlVMBZs0v6IrmkOYmqAdxj/HcAqSdbcitJURbGAN0DhUsNqDFhuYAfw7GY/93ymRQqdRDb8EC0peVR8B5o/erz5bsXhpPY2zSI1Hp+DV82i4X4mrVqcXlD4zrMUL0v1QC0Z2ACF50kPJ/28TBLcyVoicXG8DZYk+9b006PHqVkPNj4YUp779jl/uTpD//x67PjNEIfNM2Gu04Z4pnCRcsWm0RN0j+GohYZibo0oCHpoSF9SrMQa1vkWqTBee7UmJmGNkM0llnASTxLs5gyykzejmQkj0dI/qQlZQimgkWykRIgRJc81ycoT46ePcboJVHYxJSD5zpPCFshwbocqeCj4dGEhlCDaMKSWFmwiYSFZ6QVKYVmgQW5w6wTGRxFUj1A1NfDWNz6g1bN3F2BfGDbR1WBlZYy/wapyqHzEVBL7HvQ8sFu+w/NJ0Mr5LrqJZGMbaucooyXVa1MVKMt/wFR4xDRF7SJSdguwz4xjZRqusKwIEQxbgZjijuw3SGMeqa2sruLWVxhka+xIBN0R4WqceGKb8gJegcVAoJqCEbd+bGeE8GIAmNqTvZNONazShPD/b3QP1jYYVWRlPlGBSX/ndVg7fydM4fhDOrj66kLomphSjwNLFbyWDP8edDsIF3T2vhgXsGcgrl8ZvSL00tt+k1dtDziv9e4AC5u831hZi7oVyNjg52aGCMtrZhwJKnPdqv+Eslo7stmGyVZcf1OX7WFxwxqNec5ZeG7kJ5QnSfPdhUxdVQmYECwzjzP3/UVQNlyURcRMMqMBWZQYZfzKOmjdt7JGfTjgC2cdhfpoZP4gWPQyqWe/7k57z/Y47Vj9MfubtNzvL7jwpbYcRXIbC8IaxGJ6q9pUNCiauZrJM1i89zlAt2VE1e4JciU8+x3Etr9g4I+gVEngtgQ4QDC83GXIltRRaBi396L2jh8v7x5ffP6bKBT92NFBFZNs64ImUSiOw9lXHuZNzCuAUbwxLikd334Pl63m9Wlw4J5C/FwZwWpwbt/HkFXvLqxa9r2yuvlq8AqFb9y6LvCtT7uNLE6BNZ7E7btQ/vkzjtJLgL+CMmnnX13A6Pn0KUtI0xxOUH1vGaqnqA1ZTlft+3bTWEjLNaUPWImbUPeH3CmieSvB/eYrFHoE9gucElbl/B98c3JnGI2Bttri4bdCuhNk6+wmiADawKdLuYyD7clMZlu8un9Z3NyPD05nb4+FNnpfTbA5VOCEC/wGkkloCRhYhq3WvItHnQWZ9Oz6fHhycnpoc0XuM9cDH4DpvRULCSxu0/FQp6KhcS4PhULeSoW8lQspIXiU7GQhysWslKqZYX+4dOnK/vJvlXYNQgf07JvxVLT4GpaErXij2Za/kGpyg2FzFDJuPTv33+aoKuP1/rfz5+2YwyttMTAyuR7JS4Z+E3eFay3Gz6Fvt5leX50NC/4cmo/nWa8POqbiaw4k2QqFVa1bPOcXbMZHm5sl9+MhsxoHbbjZ3F2fLYD3znPE1ksD5cJuKiLAhazQVoPmcTW9Bpcc1H0pJ/31sN5QNK2Y/TUZknUZCn4MmYHP/kPth//pv9gmG7eFIDYkw3AknSX6P7WtZ/4srkZXNRoX2on9NEjUYbsrxe//DyboNn7X37R/7v8+buPs+Qyv//ll/TU7p0M1J81AxcMGJU/bPTEQpVuVDJG7zK2jkbTgtYH9QW9MEHRiMIi4SAFT0Tg5mRhspcLqowfS6EaApR94nmFRbJO0aXxNwjsqx6hmR1iZoP2DaGGngmt8/mw3SqOe0UheVhIYSJvK4/XTn7SmWDL2GpcIyt8R3yMv9Q0ZlzVmSvfVFUFJbmx3BKWcWhnqUUNso6FLMqIhJ4fd7ZtaEEwg9y2nV1J90oVQpLbHKBnnVyh32siwA1jrZPGuTIoXShiRTZqL2ZHP0cfDveSuxDAblPRjJdlzeyam0AzfkeEY2jW+yniIELr+7Q9Me1XezlXHVgfydyOAnQWiT0Z6KP7u323fGOFhoJaHEnbNLQRm90iJcUrkL9+pQuansRjuVgujR/14/UlhNkUrdbz+jtLcOgnvCFiCuWgJ1AMWv97TbIJurr8MEFEZamJ6cfTU6KY4RujMjzW9iB0efHzBbqy7WXRzzAaeu6kwfV6PdVoTLlYHplIY6hNdOQa0h4a/LofTL+sVFm0DOAIXSvMcixyCDx2tQN8d9upYTW4oEtmUk0Ngf9M1HcFX3eakiMkvzMdec0BgkQXcypdK9vU/JIE9rqHrgRmckTR7lHLfw352tITfrDjNomSSUVwU1CAoB8N/FDhjBVmhy8qNDmi55/fXU3Qp7dXhiQPL99+uAJanL5IrcKnt1fpdQi6kD8WMV6YSRluYQytwaiWNlwwt5hTJbCgxcZGwJsyDfFarChbSnM3ljQT3EVfm8XFheRNck/4sLzdVGSCaPZ7nLW2wBmZc347QWpNlTLBAyE7cGq3pKq2N3RTBPCOsLyFYRMR7lOxiFZucuR8GT5HyNyCR7lmg5dXJuBSxujpbTddq9dUuDS9JLFfXH5Ib7M7io8iT3/tWaUbxpjlEPkyBZ1pggog/t9wptfYk3ICq0hxTc/FN+5+jMm8c8Cd9Bd0114sXBh+SyvXgoRJ7WkEpvMWR/sHRNmc1x1O9w+I1yr9BWWKiFhNMF/oc5n8omaQbtvFEQqTlriqgpKWtqqelnIOoQsNKpsUB1uPcOLFGLgg41NjSqA4QtZwnkkELgm9eHeUrPtKpKYxcUvNBaqIoCVRRPRj1joiAZZtzCKU9P8hIsEn57mhkicq3LQOJS64WGORk/zmccJfgkYWPmHMRs4HX1n1qxL8S9oecfLN6fRkejI9Tc/CisFqc/N4gZwXkMtvak8C/qBhBK0FLq9MYUTL67AVE7CfW5tRoMYWGgvyU6+UYqQ4Lw7xknGpaIakFVLC3lgxRRd8ndItfyJYMJOrhZU3qS2pWtVzMKbprYbivUd+MQ9pfigrkiV35NnJ+erj/5I/n/3wvz58/+rDvx69WV2Kv179np392z//cfyPz2IUHqWjxTZ7F1e4sOHewKzB6ghrPedalXE8sqcgwMw2iAAItjxV2DLEfe6qA0zQzElK9itD0lQgWZfJBXz5+k3PRXeflhk718RCv9eqWBiJdWm+SayM/3Ln2pyedTXqVgCPC1mKPx0Yg8w8tG6yX0UyigvHWyc+m8WEazZSn80u8q3qcqJIpiYOMjxuEgN3wzp0aoK9TYJCSU64dHIcRlktFS998LGBAz0MIZ7UzquVocjZgi6hXJ/iSNRsxDwlXyg9UFDFzQVAL6gga1wUcqJvelFLsy7KUNFRJWA+AMQFyLo7K7gOJWGSCzlBazKPRg7Ag9+q4FKiFFC9XhdXH+zcrWHDbXFo2cBFscWwYeUlAxZ8YZhtJmYpzayk31/pEjHNHsvm8t+ylO2ESPTB2hh/r0ltQKL3n36CKHjOgBTcFWFLKMT1vC2N+HoFUNEpJ1AP184eeiO+f3s93aOM95/XjqkTnfcndtbydNIZ/M+Msu/HoqOcPRgOngmaIaK2jwk07tcBYVvsaoNHy+PTVHkTFBePbHLyaJjRrE+8i8yjxUyv4naufntcPcAhFRG1Sg+mcM0o3c3mzFkNxE1F5LTrGoqAzZxyIGYTNHPMWP9Ocwn/q6QtsfplA7/wojAPG5auf2vYctrD5MA+RSg/RSg/RSg/RSg/RShvmctThPJ9GN5ThPJThHKM61OE8lOE8lOEcgvFpwjlh4tQ5mKJGf0j0UD9Y/eb4QFBIVh3HRMmaLYyywdWrb4uLGWF2UZfumZhPOBQy2zF8UzjTnUrUlRQuA0LgdnS1XBXtotAUAAeMxOQBSE2cXNyP244mX0jLR8zUCjcKdSpIPS3rSESrt00prxWH80ezXk4zd1XW+5qyr1ackpDTurHHe04oRuPpKSEVvyw1PQA2nBbF05O5N5HYrsePGaKWw5NRwu+D55d/XcblnvpvslJPEQw/E69d8yC9yqISfQ7Wu99sN+q746Zwy5dF7UdhNZDErO9q+jDfbqy9jI73wxy2vMmZs1NCR0tILzD+WyihioQK+ubS9L8KDq9NrgkDIU2PNl1t5pWNJ8hvlCEIanwRrqKgK4HpGnvqhXSIAIm4xU1ajnUfCr4HBdBVyCHciD0jOWlg+vODPdiX/k1ijmibRRjuy38qQKCQynB5pDNv4AC1kiLlwRKniwFLq3cK5CkJS1wOnind0JVcnEfIK3JzabCUDunU9inKXayTMQoPOyKYrGsy56uzh/wRisQRu40ZFwJrkimwKFMFb0jaY9WsLz/fiDl6mCCDg4L/a8WHvT/XbOU1wf/mZ48+UKyGnoPPNYSXMyhFjUxQf32jDoG0QyfnNVRLcXRnLKjXuoB7vjYuweD9DSw0jOB7ycmd8QcEOXK22Pp52riMN9iZqJiw54AsQclKPCDMJoLvpbgy3NpOBYht5ZrMkcV1Mx3Tay06Mp6K5VDf558ep9T1yQDnp4N9lNB04LLd49T6r65t0+PT14fHr86PH356fjN+fGr85dn0zevXv7bwOv7k+sGHJKpLYDfg/qai1vKljcm6ijZxHQfCeRoxUtyhIuw8u9O1C0uyOPirJ3RFR+JG9aqHYsbv0QfDhU3mp4sxPS/dEUwFzijBVVabKjoHQdCxoLX0AO6osTUH2469yGX7gffyXbVchvILQmBvpslZhutfmSkCRL5FA7qYZr+SeB3NopnOUGQQ+TDhc2holZqkBVnkO5lU7Ma0Xhml20aeIMvoJ2dIIqE3cCaQA0iJ0Hi25ygmuVEuJ7QViuc2LDMCYr6apuu2RPkHtIikItHC2Nfp+jSlLS308JFAQGdijco02o2McIcBumK2XWBRcE2O+DyCilB7yguis0EMY5KrBRkZIFnXsEAWEAvqg2km230QgWDnOPpfJpN89m+tUwTITO9B2lo2MxF4XNN9bIACXFXGK2VeBoEbXTi9a73iNazLyXS3yylQR23dP90uBRMvJQgSyxyE3AmoY75JHjSZCfMqY+B1LKwyeDJuMil6Vfz6e2VL8Rv2v45zAw6GaH6b7tSpjF7ga7/9Wcbd/lc+mrQGlQzvAFvatL5pKP2GLZIarHpTr4V58+k67wK7MAGyiGcqdqZOE3fFSJKdOAhHZjKuwsbc+JGZi1kpatMCV9bdcfZYxNpgq4iXWYYmGwBD3G3jeOuI9AYupsazJvQPQphjb/VLGt0KNsk37yXAtMsIeMqAKbpxGyR7WF9r8TvPyFqLYwWix59a3hky9oKyXz6g8uru9cNY+25mkdklY1QLLhQW7H/88MOt6JhSrU+BiaWLM0ArdEfJVK+yaN4czYMxW8hdB7qbzd5XjZ2zDbih6PWR0D3iWFvsB0oJF/ZmPYh6HZQfQqReAqR6M7qKUTiKURi6CI+hUg8hUg8hUjsGyJhs8y7amLz4XAntUtZb+skKvxOK1rC3JtN1wcTN4FD70hRgBe6L/hhQW1X38a3A1UejDXA3fGBDcUMr99o5Tk8QLOSB6vmHwQZ2NtM1IwZrRkm0FeFh/qWwqa4f+H7P9lO7+5983iJb4lEVOtgUtJ5qxmr4u1VDVLizA6yoFhXP2q+H4Az7wgC4QWCEpaBXVjKmkijPWqYguR6Mrb5CNh7IoBapLOxLq4PIM1d80Kfj8XyhhbgGUnZEtof2aYmbUwbl/7Lr8krMl+QY0xeZ2fffH2az8k3i+OTr8/wyeuXX8/nb07Pvl701AS5V7ZSYwwmBZaKZsa8dWhnNdASHApCjuab5BV7prbkr4S8zgOAjBbbbAT6jYGxzRdlKfhaAtdbx83J3XI3Ch8023AnUTTE7drw6O9t44GYIA23jnsSmwAp27Fj5oiQNe0lIhAXhak7ZdHVpJFTqQSd1xqMqwBi6EXUYF/z6vuKSyXbvdebI2LsQc4u4iZtCg/YqfV4J20VIejEyxfofbjz4RbAtGwaatj5OCtqqVpJK8Zl8x0X6FuCleyCoVKvmmsJjlHGK29x9+sIvbgiuNaavECMIwfHd055jAYXPSdijE8kyOfa6zQAAGf3tqnGpnNU4uqJmKS+33iLjB0KGuoObgkAWzmmMcYxsUxaO+dLz0QjzKKFbB+TwKulHiXF7q3tCAMDtPZlbHDPaBp6OT2dDm3n8S827KVFOqGkMoR+Gu4I9Sz5rRZJsY3SJMo0wIsFFh9xo2XZFPH0rBOpVqQkAhePWIPjvRujI6Y08gV6Thdwk0ML3k7MFgrklaZ/FXS6k67TsCDgubTFmDxZ03yGcg6du9K1i97gs8Wr4+NFM6InaPBNtWTc8LNhIq55ZYjF3TcnbbbQ2OSOnIU9AjXcwh5WPLFm9j2l2D/BRm7KVXQJ4H+GjTyF/d/ARr4NjUe0kRv6/B9nIzdoW6NzWBqlh4r+Hgzl/Th38H2ylj9Zy7uzerKWP1nLhy7ik7X8yVr+ZC0fYy2PNIlaFLEa8fmXn7YrDZ9/+cndsLbZpqk3WBVEEf3txEj2MtPK1cTG1UElQ6xWe0r3/f0BHiolzjVGb4r21wKqLbrwxqbXc68e8DMH2xlW+vluZbJJWIYnh4UsTdQ5NjXy9eJFACHKD0M4Jc4gBrbgS0t1+nUqbZbGb7VUTY9zV3yuWfCuvuqr3CdapDvwGCzqayw90hO/020JqU+Jjdc5LLdtTTfTjJ+fnb08Miac//v7P0Ymnb8oXmnwPV+nqUUv5mNRyuXC75XRc2mpVTe7hhDAWEtjAJ0YNtMUwPeJrBHEWS2KqYY5m+gNh5g9FW2RIBlnUokarDNcILdRhizjE98h0daG7LUF6XU2R/yxVvoaoHu3kWnpM/H1og9gIgc9x9B0bJ6dz1wjhwoHqjBA7l+dccrpw8z2nenk3TvbeLtS075kJvdBk54+/Y6/2ABMbvUUW2cQyk2b6NRiY1g26EfxPdy0F58a0z4UJrekHVXjBRpfct9pxLw666pFfqnjGfXos0mrSH/4MVNkGXkPBhpHOut9dvYy3Xfp7GWf5q1Wj0UbV9CIo48y7LFtk4RDDGLCHwszfchgAMusvNADuJpvTIZlG/8IjJ9Li/WkyBzO9f+Fc02+QN3QoLB1OCLE4Jtj4BrTRIAY13CAkn2Ru2Au8Lr/DsOY81r5p+IZqNZCGGtx07WkrFSDF0zBPBF7pAyElnsm8g+iOVFrYitfqzU3p70vG1rgZRlbMx6WLrlQgVcBBKaFstHes7/MAiJVvOrdzL8kmbRDvmdutSTiMbMwP1v4LbrttbtJ2YL9wBzAwO/HJlyXlkQvR2ZI6E0Br3jbMZCu0ACPGqkXOh+SOxyQnOKoEZ2nrkOa7/gEnhXQjEPLuf6EEmlOsAcFA62wNHXH1QozeJ3mk0YTYVBEZOOkcOAP4LRCfNHgtBpYR0KJelcZCRMIHH0UmDyjzzvFJRIFKGLPzt9DIM/Hllejbgf2eNO+3p+e8/EwgSS4mJNIHtgmPa709e5yogu+bISrLXhqMbxts7pH8uAFIIzeQ3ebSHbcwXmeSaNlaFRM5eg7TIsmQ7eDOCkxfTztWB88GMHJez1YrLB8NCHIBpQ5JrCKg7pC1mQc0PAg1AzibFNCGyb9SOIS+izJoi70Ks+ANKD4gbB/QPiND1GBwudA+biI2WGrW0mGmb7Q7DXes1xt38CDrtf3ENXhGTQ1BgG4X6ehCSDq/udL+wJqUpNeLDORjEiJxabn5olL5TT3Dwo/H3cLGZDuLmp87FrVsZUsXHK2uxX1uxtjGfHg5IqvbefENZl77z6EpQRFkE2WLhZa9qo94lGVkL+N8aqvVeW2A2PncRcHfzSLmtRwDj7wP2hR4KNX02P0nF6tOCP/G729+ozM7+jjNTo5vTkxDaRcLZ8X6KKqCvIrmf9I1dHr41fTk+nJK/T8xx8+ffhpYp79nmS3/IWLRTk6OZ0eow98TgtydPLq/cnZG3SNF1jQo9fHZ9OTgzE3yT7M2Qw2bC1DB1NDFiOqmj/Mmf6X7k62MYncuNPj9CKaXhPTh1tLQxrj19Ii8lSt+6la91O17qdq3U/VurfMZVC17r+gT6SsuMBgifoC4b1Eoa+nxyjHcjXnWOTS1SeZulcgg6KWCi25d3VlcropwQMGZQTWVBKkiFQS5Zw9U6hpYOujpQhW4Z1iVggX1KfBVFitzu2NBZHU3fdbTVK2w/APhxPxnZuhBIn75uO7j+epRmXW3nhEMnlkkjeOTr5+E+HVGqt/+3v2s92bxd7YFrNrcgchqF1Zd00E8Y2sTYR0e0Kfq1xrPwtaEL16R5TKI+spxFnGoT5FsZn2yOnTCqtsNX5CV/q1lFgZCiOJ4UrKfOeZEcN90K/tMxz+ba/h9Gt7DGdkmfHjhfKQDwpwglHPWFwmZheE842ZWlrC6Rm0s4MDBk1tX3dQS9e1KPxRA9fzoANwXQuaYYVRyfPaFOWqJVikp2HIZxD18IDnueuSiRx1Xx1qsIa9feWF2W/NX4kh3rou+hkvS87gPR9Y7cxAYNkobF0R23/nq1gPjdiqoiX5oxHRu2y1pEuBDRqB1dMwW2O79SAi6Af/BLXWFC6rgwh4UBpMLxAVJI9AG2E7eq6xm9VLfRudvlYrdHp88nqCTk7PX746f/Vy+vLlALuBR6npEmoWquBLW4EHaMuUb4GaYtGkFPbFCPuqCNm2zBt41pibfT0shSpikpVM3AsRYREdD8NkzUQDm/2L1pHPfyOZk/XNHzcjiNVTE3Aw17gPSMjF20cYECFaJzzUKnoGea9faulTUJsnz6ktfqS1K8gAsJlhMI4P9u9rGddKt9onxwNQM0ttD6I5V81RfOv+HnAYR57Dr8KttUmp7VWNRv2OFgRhZdP47PqkTrUkqvYGfwNyznlBMGsfpuDMRUNdE2WC1Yz8AJ4VmzGnQc/QnCo9zBR9LKmCyBMnCE7bOddq+Xi4LEfhYoxtES6KfFHb6Rd6eBrHEV9Ygdr7vYCQfV6xbzVtR2r1YreBO4VNWLQTDyK2TDxVztes4Nj5rqfoI4vUQVlXFRc2aabE2cfrCbqjGMDcfnh3qUj564oI8p3gpWzoJdSa3ULRhcM0NHBYIbnlVkDGzXMTH0cfhorXX20/ib3L2zQgZpwdYoaLDRjkwQLtfIe1scOD+X65FGRpG8vzdpSTnY8pVNiixIKy+ssw/qVviuv3P+kXrDtL+bRR2MIkc0o4WgctBzRaWLMmEd7w8ml7kXmQuz4ULEB6Jv1sNJA24Fb40r6gbUiQ56nxIKAw7xijKUZ8PGJcgNyw8ILXecDB9Z/OCQw5plgTR5qlf7DfGokyi16V+spqkrBxnt/AAzcOpKvgyUWLzQdh5fqFaSU4bK/ni37a9pvDLyPUAvOKZgbfc74siJmxF5ovtCBn6hgUeShE+PwuovDUIwZT3aFgtx7ug+ayw29a/L8PoK9YQPPdMAfYAVpQG2NAAq5NxL8JhIrtYO0LCVNFANWyUFpQtbnZKmKHoLtvbdkvkPkGLnBAd30QTTrBIGj2UXvqcp7dAuHYY/fO/Z0gYfMdZEa3U4vtd/oAyRUX6sZIpY25HLNsxYUb79AfuR4Fx6OFdvrmUCs9CVMGDt/7yZjWNe0BRtXkE8OVeHlPqTZkDgDOpz4ZBLSMMa9poVCq/W2DSstqvk8KvB8zzsLpjlXgOSlkZ7RIv0HbdZwduFzCSphx/FVhXSiWZH8wfyWAXGoFJSBU2xJHv+5KeEwD2tSfpygT/dd/u5Fv6zkRjJgUUjv+j+FnCSya7/0tFl9JDVAUjr79IDUv7TxMEdLjDlTF8wcgqGAFKp6jhqO3h6rve2yDka54jj5fvusOBPk4Fc4eblINxO5gPO84Ze85GM9JzxIOPY7DBjLQUImr7kgQCmNk+YcaLgCZHvMhWVwwbhZxu23DPgCTT45r4FoOg+ucqkAOvnB/t+VpacoTGc0GLBje9OVlXXjXGlB7bBhe52kzhRQnwW37xBZ7lYnPAxPV5bsIygggqdfJiPfJYkEy6PORgrSQI0CBEcP67VLAxsCCTJ8UkLbNZQsMU+KnvTYjADRrkwQlR4CSRKWBLMZACVc4CU3/e6N5QwhwgC3zcoFmgkhe3GmlRkJsukZZcbBeOf+ot6SCOQXK98/ckE1Q/5oWRRBdV+KqsrkQNXXmD7gQXN6MHTmP4xmek+lyCgcKHf4fJDhXL7YbJ3B4OQ5Q9YPzFwzcPYODgPWBISPhtM5jAmJ4JgeB7JzLBNCxMJvzmQC2HAfLUHJq7UYCap/X1DxHgmzObXInRkLrnl8P9cGNeThTXDysNQ9nUD0AyXpu7axgtqw1I1A0quOxr2WvNnHgoU2vBXE/kx6sxp9v0WsPaw168WgZVmQZ9u7Zc04ODoLGc2WFhbKNvwJpJuzwt9Up4/uHDfDLkC+DPcpxTy5Lq+1eXH5l1oOvRr0gtgtVtxNRtAJBtsnWBbDVk8BQrwRdLk2LNJ/W07saQVbkALSNj8BEYKtVu2swwqhm9AuSPLslKppHO+Nm62TeBSXHXPrq3+3MvIQ/TOaW5PeasFYUyu4QDVPr2LxqC1l4egTHJoYeznTJAkMEhKNN0XU8JLLvm+R4m/EOsWo1ZerlqZOfbDQbVJ3ETHO3gvvmGc10pGybKgd5vc2E4GV0+a7BXXHT+JKyKfQg8r18mgpQ5msPyUEBSQ5S1nxhV+hVFSMsiKwLtQXfhlXWJkyLC7RoUnc659gA9BeZpgaSu+gZziB0U8M50kBetL1hdVliz0x3GXI8yWk+0WLAcWRxmv06Cm/yAeMDBciHx6qLQsibaYB6/02wM87bAuqRCaKj6S4RXwEkpgT9c/luii6VIQbGla30CJNy/msTZ2ErQELWvWnDZCWGroVUkoyzfI/JGiK3L++coCsfE81HBR0SVbNaE0S+ZKRSINT4EBqffwmZyTNZz9rXd8uas5N2Ui5iSGyG5nBcWIBoTsAJD4bZuuJxPZbdxHT/KJKLdqEhPfp6ZUsMHQC+Bxp7o6lp4XZi2XmcJ67X8NDylBddWtiT7A8OHo6qPCyf1Mfv5/ZvagKs+NqRJrBULFFFxIKLkuRT9NkWDFUBITTSFDJlZjJelvrOAP4CXg4gDSM1kXzLRd65vfsN3NF8frIZcfBK5+buUGGap1IW1u0asIrUWG7hKm1L/eRuDCQTSQrvInAS1wyiSo4aOMHxvRmrCHXIRQMZq+okgYzXbpJghigwO6FEHGQvGPsYKky4SGj6CySNkWTQZFuFxY6fQzVM6NNdEAn1m1+0BtL/jp3+LWVQqsDMwgsr5qxCPRotMebtNdrHhGDWKLIABscuzBIbANH079BvQU15i27GRd5Bthx5oPXzaFHgJcQz4SYcsCeFaej84VxThvBdJmMeZyNg0DDbSRMR08hqtjt8T5RmIC+2o1p3IM6Isj0vTL1alFNZcUkTRpMw4HwMu4P30vwTZx0RZbupx1linM0nYf7SeuTY0yhIyRVpqaBBurZrkGkzk1sjZrRajePUzMYMZGJTKW4BIEmMw7t9ckadxLwWRkAzC2Sl3xZIW9RjFMpeFbUvB/09LQWFXdO9D5uykZZNaO2nxQvT8JMyt0qeebWHkPSPcSyRbJB+B0TqHcBltYcF2nXJ7jBBXydvBG2SYgHvUUUyVQvLuTqAl9lYwM2O+mb8ru7yF5LdgUlYqyltNhAku4xiA5DwkmQDNaOj2ICxVefhe026wHycvNMi3xRHUUSUUdGAIQts3zFHPeQlri9NJfhS4FLfQa3xlgIzxcWo41nh0vqLJcIVxAqyZSDhtwVX1wt51Ea6lwLW1XdueDWWHNuyiVdHfFCyNbm0d0eNMlErtUG1Jclx2xIfh6GEql9xR40y6wxq58LwDIzE7akFYsMw8/unfw0j7L1DKM5wHicV2I7VHSYwit1YYoEeBMWSC6pWZd91Vy3GET4RsKK25btWtgXJNqgkasU7V6ki5SjoMZ8Eg7HtGh7ZPdrc+PheCgo+ud/rp/d7/eW9Xm/l8g1eZZ9oOFL4KqK6lIP865lmy7YkcPC2V+fGQrTSI5TxTN5v5Mvo+w3Yhn4PBWXG/YEexVzt4dNSz4KyJRxq2qHZYqzcHK+jFZ070tNem9O/khmubKT2KB7BJf3SvEs78jDDYnkPvhDLT9bYiBKyEyPrQ8K0nDFKqGRkDbzdmu0NACSJ0oeifXz1MzdznN0WfHlT0HIc6ZkhjID1TCILB/1ek5qgQNAOBInxIgS3rRa6m3szzrjhBO0mxKIhENQEHIWGgnH3N8lqKFIPb1rBBEzuWnW4ox3ewcj6php1OvXeumlUWmiECIat0+BFvg8VuUrVQymJj41c8olC3RDCCPlRMIvcOPdaYOaYMTJORLavmP3jzHBBkqOqiQ71DJZgrWqNUyrBiWrftKRitO+2FHJXHmbqy1h2c6fPY8aZFvBsXmRH5t5zv3r1VUk0SY5aZRf2AbQMvhUZnJsO/MhLO2qAi395i3KSUXAJg8pE8qOcMNoZRXNdEbRXGmmp5wsk2NI5vnJf5Biju7Ywok8mI6Om405l2J8r9JF3xpB0Se5u9AN8FCujS1BHU7cqHQdqi0OEF/kNYQsuMjpuwfU510tgXiala+VYt69qvcR3WVXvs8bNjf326jOUPG1DF/q8jgHtI8OQDQ0LAASRCOPEya1xBnGYQfv2z/ORooVfEn0RGddDTlRKMVvgUQZ8KwU5mo6UUH8yC3Z7OJJrVTQ36KqCsltntpaE5R1qlPX8t1HSp6wqeMmwxa3MFv/78eHL/xzLxNuSYtLClsVu+kHWH2WKsBrnC2Ua8qJN3K2qWoMvtWfSl4xJH/qMl6NIgzcrbFzIBWVJy5vm3CP5achHLcvexk3dNXU36tT76FYwAzQwQleU380Cy7Hn38T4wZvb0YeAylHrQ+WNeelGYXkbR0n5k07HQATfl8eSshURdKcMG0tGI1mVfdmwq7aML0fdOyYOcFNwnEcc15p52trOg5sGNIVLMtbTr3m1o8Hg3eY+v8MFzW8sA9uHsuNX/fxH2v3s9IMz2ca0+jL2gF9e/dVbHdLSzEi1hVZZw5HSSkuJMzCEjgEL3YMYUe6G0q+gy3fGc9vmoHvcUzYea+slRUferZdXYHNeClz6pg9BjEKCdscZa8NMg1CeTrG2u3KsZAAaUq8uA9aFUYzNgRrI0rRkOlZlrgS5o7yWJqEopehyOU569JTcxNy2ufv4yA73SZ8Dj44MF4mOXE/AiKaunMrbUWoblbc7CavCIqzYO/CSCJUeXwsEIKXiRwoyyrNWELb0Mex+5xcFHqdDVYR523HKS1yPpE6MPn/unqOR0TaSZFrgcJGGCXM2aAFLMdJsZsR/m6/UYyu+GWcpB1ofaITT5FmOC2nStzYuISyDL1BJSi42Wn788du23gJml32u7cbqYo9BTjKag72rNcZeWrqewSAtXa9OtsJjI+M0fP0azhQRzggzQIrXrPehLDxRkcuUjadWQSeGIceyVtANTSxw1mM2ycpR59KpTXHAbQvmivNRvLPx+eo3jRvOii4Ztg0eErs8OqZT77GoWZTN5gl/7P0pbSXJXnOzpKOoYpuVLPasrDFVN4qOc3T2eFc0LBTA8jcVWKhHaQb2lZQyrQ/JSI7lDGeDuNZYnuUrDHaYVsJSzIt8pPTGi3ysBKdZ2R77mWNSctZKQzeKNVTVDaB6GQyq/40fquDLZzJ+O3Q9jRTD9FF00leLzbaAqz1UScgewWJJFCTyhFafLSpLiUepQruDy9ZBYe09YnnN+z3mgLDM9NhbpwVrpPzTm/0953wcO7YXoJMg4mqhXsDPyios1jaMALTGyxfwsgtgThBtwbORF9XaaEoQ1m79bQGQiGU0l9bQS9CEhQheUpnVmk8EYngTtzxqjW0ZeIg717KGM/BtlWnoWHk4jMMwDdjj+yPyUY9ipaGPeiArzckC14U63INv2FdB0EyboUAXG8vsPKNztdo0EM2Z1ixp2dCXPPSSHM1SDXEuuABXu+tHqXn3ssvvYDdGRqyuxwY+uFC7fbbDyfyOa4dEGycFR4rX3Ti5JbQMhYE62z0PgeY9jrV3NmHkkpjD1m/XDEJDhjlabJaOfq/GBf1jUJYOmLTGOYrGR5qMdok6odFXy0i7RMVIS7LlmVvFFPD0j8U3NKancOXz3+7Da6JE3EayH2lNDi6mVDyu3qh7GMsinbdzExnFZ4FpMTImpqXuWAgpJxll43RqKKG9VaW+G3Xv23PnqkumeERoUBsEsyxxtdUcB3avkV517/a2dNAbhnFvy/x2mtAjjLRMe1u31Gw9YeqW5PeRMS1xnYz2hv0pV9Dv840atw6N8Vui32vsKwWEgJolGesabAekmG45WYcDwSU9/vL0t/9AyUNz5LHhOpoh7w7V0RQ42vjEi7zX+AT6wqjbNDQxDLxR87Fh1taFennVI2nAFT0yx7tzQ3frWVGeqWKkWfJT04DHB7q4YnoAryfeRY70Kpsg8X7hC1cVFuW4JDX3jk3ICfoztLnK458ZTUo3JR53m7ctafr9dgkGZ8xI5ayMZObG5trrYwTuMj6KZKindf7bzT6FELcIZIJgOS4bLjBhoZwwrkxzEgPI16xOZt8VVI62pLVlKWOqhx7RvZGYYy0rji8Msa7M63Hpw9bMJOu5kzJqCe6VULQvOFtK5CXjiDOPOnchZx5xU41lpJHq0GWij2R9qsWok/X5l0tUccqAQCHsMG0XMmL+HokFIWnKZ9KmFRzlFDry9ofx7mdhiYl0oJXFiKtjZan2PZkItarGQSycl1ZyhoM0Js+F97SzDwxaVaODERsDvg030gDoIl1Wc6TAHXpPdsWYMjKq8pEhDqPISAJVBOKcDo/yuLRu2zvWwk9VIOpLiKblcu+sD9DUTW+J7QkgRb6P192RecfzvsvnfjNy9VwlTH+/bHc62ED3MSOsVxB2Z86EVb3XWDpQi7pAXCDG0xbl/WWKXQZlq0yPugy8BpSTgqiecFcTZd+CG8eP9/eIEN2+5W2UEiJ+EMyaqKAX6TcjoEL75DhlQCpRQ8mL7jB7jxIVeunC7TQD74Psi0fWjH7ZNqKdk2vvrR+fIFrdncG/ryfOopOqQNfUNR0xyXH1TcPxXI2hr8Lxdnfsu2CIixwUjMIWaFN2Qx1EJEhGqLcmBUVHtYbiIUGXZUjPU1xzOkMApgpdzjNQKG0ZRVOvnUrPvOgCKpcELTORL6vgREFXEgMKLHGh35lRlhV1Tm4EXt9YdF2deQ8nqjMfr9kaC0bZMl6zeI96lk0Th3u72wICOpbaWj52bLMaQdHDVsnFpreElbwAmPOmYZbDdz57NSd3pOAVKOn6y5zM6yZWpqpFxaWtQxaVwV0Sbl2TbWaTnKieJrzi+3VqBMmCMleMNuPsjjAKhjzXlXTDaxu61mgDhAmarZoNrKXRuBx0UIgoQz/xpVRYrvQOX7IlkQr9zHPSrR8cxjRq6ZgwFfY5G8Sl4xKLTTyZ6wEFUDultanaPOxIVG063QuhX9iDDmNAdmbDa6bE5oZKfjM2ODQc7a2Bgy6vP0KUaKf8OY+ETk9/hN+AejNsPlrFpKrOCRB9gRX84VtU6Tv2RmtHS2Gkc9vOBZrBXgaftxn9gLYuMexEe5cgeA/L1fAz9gOWKyKjfpkw11uyMeetKbrCoMOFKdtpyybDI45/rQhakS+IML0DOcopnB/znC3cmWxsXeBbcjq/OX31eign/Panix/fn84PT1+9hunG7T6T0F++ORsL/eWbs6HQX52cjoX+6uR0F/QyfzUU6od3r3ZBkytfHGYnuOsfLk4GwDs9Hbyo1z9cnJ7uXE8NczgZaJi7KUCu8IjNv/7hYsC+a5g342YPzw+DO2oF4PlBcEeuws3QdRhB/AB3AOXLFR4HdTDMkbv26uT0aNi+AexROwewd+/dly+r14NR/utfX6eQtTeUsbM1N9PBNXxwkG5iOOxmsibZ5kYSpCBYQumiigiqhURQ9ZONDuDlKVhzoinu7PDUp5naPpHuJ6XUbrnlEZppADPX7MnNtzANJAPXTtiju2/G7qeNa2COraIw8AbjoNnDTpT1z2cApEVYhhk3VcPlNDHinHPVM2YeRjAPGPNbzk3oeWoc3+qO/kHyxGCx2WbQeLa7vNkJK/3bNn0JBDRif3DW6cTYrwzvRCBs1+rAu781VhMEZeO/vf60FSG+WEiippJkD7Dxnxo8FtZauWX3OxXW7rUeP1hoqZFoatP3HANdvksNEVY2fcDBooKpphHAlzevb16fvUghEfqf7zV24JMmyb2jVWKg1oc7xmgiAdJDcJkYos08d4wy4zJgnwHHRHjOaxUautnSXQARjC67DOxaBVYaYmvQ/lXfuSYfrz1Qu9sZYYrLCarnNVP1BK0py/lavpgmMeocp/tiA1qzweQDzvQnf+0ZumNxvP/gztYIwwuSr7CaoJzMKWYTtBCEzGW+a0WsM+ZB8bIw0wO2ipPce7xPCRJ9Jp3ZsYOKv8xDF+E+oocGsPPs6Ids8fnu4RkviTwWISP0WXa6iUerRdsQLUdjiiyjhRw+WnxPBHbHhx3rexuimx4sLGsYDnaPZXwm0YqXJGz/lhpZrkjxgMcAoStT0BgpDpFv2OZL9myoJOKmG/wUIxI5qAdi8b0VwU1R10AERx+ZiVScRN1mliTj1srfQw6dG82h1+ljPQDBGYDbem4x25hBZVSdtsICXB7P52TDrVnNxmC6flfwVovPpo8x2n6U0Q5aGLQTyBN/91yjrecN7ThzI4fvO3sulCO5ualt37W3DuD27fW75iJJnjOurB/NfkKVJMVi9E6quOdVPKF77uRFB20NdoquuJR0XoQmXjSTK5zz9Y1fjx6Yz6NJgyGC+nrXBgaYJF5MmrW9cT6n2aQH6ozxZmQ9hjnsOWZLIqAEitRnTKtBGWaaSSHKXkwQZqnFAYhQ2TgE6suqe+ytn5ChI6KyIxNthCQJy4C3doU3TaIZIgzGgCqhBmJn9wMHBZbqpl3YKoCcVtDNz6DNNs1hNhGPcRNdYwkIuOJY06/+/wAAAP//gu3nzw=="
+}
diff --git a/x-pack/auditbeat/include/list.go b/x-pack/auditbeat/include/list.go
new file mode 100644
index 000000000000..fa0a85e49b98
--- /dev/null
+++ b/x-pack/auditbeat/include/list.go
@@ -0,0 +1,16 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// Code generated by beats/dev-tools/module_include_list/module_include_list.go - DO NOT EDIT.
+
+package include
+
+import (
+	// Import packages that need to register themselves.
+	_ "github.com/elastic/beats/x-pack/auditbeat/module/system/host"
+	_ "github.com/elastic/beats/x-pack/auditbeat/module/system/packages"
+	_ "github.com/elastic/beats/x-pack/auditbeat/module/system/process"
+	_ "github.com/elastic/beats/x-pack/auditbeat/module/system/socket"
+	_ "github.com/elastic/beats/x-pack/auditbeat/module/system/user"
+)
diff --git a/x-pack/auditbeat/magefile.go b/x-pack/auditbeat/magefile.go
new file mode 100644
index 000000000000..9ce795c33cf5
--- /dev/null
+++ b/x-pack/auditbeat/magefile.go
@@ -0,0 +1,173 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// +build mage
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/magefile/mage/mg"
+
+	auditbeat "github.com/elastic/beats/auditbeat/scripts/mage"
+	"github.com/elastic/beats/dev-tools/mage"
+)
+
+func init() {
+	mage.BeatDescription = "Audit the activities of users and processes on your system."
+	mage.BeatLicense = "Elastic License"
+}
+
+// Build builds the Beat binary.
+func Build() error {
+	return mage.Build(mage.DefaultBuildArgs())
+}
+
+// GolangCrossBuild build the Beat binary inside of the golang-builder.
+// Do not use directly, use crossBuild instead.
+func GolangCrossBuild() error {
+	return mage.GolangCrossBuild(mage.DefaultGolangCrossBuildArgs())
+}
+
+// CrossBuild cross-builds the beat for all target platforms.
+func CrossBuild() error {
+	return mage.CrossBuild()
+}
+
+// BuildGoDaemon builds the go-daemon binary (use crossBuildGoDaemon).
+func BuildGoDaemon() error {
+	return mage.BuildGoDaemon()
+}
+
+// CrossBuildGoDaemon cross-builds the go-daemon binary using Docker.
+func CrossBuildGoDaemon() error {
+	return mage.CrossBuildGoDaemon()
+}
+
+// Clean cleans all generated files and build artifacts.
+func Clean() error {
+	return mage.Clean()
+}
+
+// Package packages the Beat for distribution.
+// Use SNAPSHOT=true to build snapshots.
+// Use PLATFORMS to control the target platforms.
+// Use VERSION_QUALIFIER to control the version qualifier.
+func Package() {
+	start := time.Now()
+	defer func() { fmt.Println("package ran for", time.Since(start)) }()
+
+	mage.UseElasticBeatXPackPackaging()
+	mage.PackageKibanaDashboardsFromBuildDir()
+	auditbeat.CustomizePackaging()
+
+	mg.SerialDeps(Fields, Dashboards, Config, mage.GenerateModuleIncludeListGo)
+	mg.Deps(CrossBuild, CrossBuildGoDaemon)
+	mg.SerialDeps(mage.Package, TestPackages)
+}
+
+// TestPackages tests the generated packages (i.e. file modes, owners, groups).
+func TestPackages() error {
+	return mage.TestPackages()
+}
+
+// Fields generates a fields.yml and include/fields.go.
+func Fields() {
+	mg.SerialDeps(fieldsYML, mage.GenerateAllInOneFieldsGo)
+}
+
+// fieldsYML generates a fields.yml based on auditbeat + x-pack/auditbeat/modules.
+func fieldsYML() error {
+	return mage.GenerateFieldsYAML(mage.OSSBeatDir("module"), "module")
+}
+
+// ExportDashboard exports a dashboard and writes it into the correct directory.
+//
+// Required environment variables:
+// - MODULE: Name of the module
+// - ID:     Dashboard id
+func ExportDashboard() error {
+	return mage.ExportDashboard()
+}
+
+// Dashboards collects all the dashboards and generates index patterns.
+func Dashboards() error {
+	return mage.KibanaDashboards(mage.OSSBeatDir("module"), "module")
+}
+
+// Config generates both the short and reference configs.
+func Config() error {
+	return auditbeat.Config(
+		mage.OSSBeatDir(auditbeat.ConfigTemplateGlob),
+		auditbeat.ConfigTemplateGlob)
+}
+
+// Update is an alias for running fields, dashboards, config.
+func Update() {
+	mg.SerialDeps(Fields, Dashboards, Config, mage.GenerateModuleIncludeListGo,
+		Docs)
+}
+
+// Docs collects the documentation.
+func Docs() error {
+	return auditbeat.CollectDocs(mage.OSSBeatDir(), auditbeat.XpackBeatDir())
+}
+
+// Fmt formats source code and adds file headers.
+func Fmt() {
+	mg.Deps(mage.Format)
+}
+
+// Check runs fmt and update then returns an error if any modifications are found.
+func Check() {
+	mg.SerialDeps(mage.Format, Update, mage.Check)
+}
+
+// IntegTest executes integration tests (it uses Docker to run the tests).
+func IntegTest() {
+	mage.AddIntegTestUsage()
+	defer mage.StopIntegTestEnv()
+	mg.SerialDeps(GoIntegTest, PythonIntegTest)
+}
+
+// UnitTest executes the unit tests.
+func UnitTest() {
+	mg.SerialDeps(GoUnitTest, PythonUnitTest)
+}
+
+// GoUnitTest executes the Go unit tests.
+// Use TEST_COVERAGE=true to enable code coverage profiling.
+// Use RACE_DETECTOR=true to enable the race detector.
+func GoUnitTest(ctx context.Context) error {
+	return mage.GoTest(ctx, mage.DefaultGoTestUnitArgs())
+}
+
+// GoIntegTest executes the Go integration tests.
+// Use TEST_COVERAGE=true to enable code coverage profiling.
+// Use RACE_DETECTOR=true to enable the race detector.
+func GoIntegTest(ctx context.Context) error {
+	return mage.RunIntegTest("goIntegTest", func() error {
+		return mage.GoTest(ctx, mage.DefaultGoTestIntegrationArgs())
+	})
+}
+
+// PythonUnitTest executes the python system tests.
+func PythonUnitTest() error {
+	mg.SerialDeps(Fields, mage.BuildSystemTestBinary)
+	return mage.PythonNoseTest(mage.DefaultPythonTestUnitArgs())
+}
+
+// PythonIntegTest executes the python system tests in the integration environment (Docker).
+func PythonIntegTest(ctx context.Context) error {
+	if !mage.IsInIntegTestEnv() {
+		mg.Deps(Fields)
+	}
+	return mage.RunIntegTest("pythonIntegTest", func() error {
+		mg.Deps(mage.BuildSystemTestBinary)
+		return mage.PythonNoseTest(mage.DefaultPythonTestIntegrationArgs())
+	})
+}
diff --git a/x-pack/auditbeat/main_test.go b/x-pack/auditbeat/main_test.go
new file mode 100644
index 000000000000..1eca7b4f54df
--- /dev/null
+++ b/x-pack/auditbeat/main_test.go
@@ -0,0 +1,30 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package main
+
+// This file is mandatory as otherwise the auditbeat.test binary is not generated correctly.
+
+import (
+	"flag"
+	"testing"
+
+	"github.com/elastic/beats/auditbeat/cmd"
+)
+
+var systemTest *bool
+
+func init() {
+	systemTest = flag.Bool("systemTest", false, "Set to true when running system tests")
+
+	cmd.RootCmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("systemTest"))
+	cmd.RootCmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("test.coverprofile"))
+}
+
+// Test started when the test binary is started. Only calls main.
+func TestSystem(t *testing.T) {
+	if *systemTest {
+		main()
+	}
+}
diff --git a/x-pack/auditbeat/module/system/_meta/config.yml.tmpl b/x-pack/auditbeat/module/system/_meta/config.yml.tmpl
new file mode 100644
index 000000000000..94893b4ed61c
--- /dev/null
+++ b/x-pack/auditbeat/module/system/_meta/config.yml.tmpl
@@ -0,0 +1,41 @@
+{{ if ne .GOOS "windows" -}}
+{{ if .Reference -}}
+# The system module collects security related information about a host.
+# All metricsets send both periodic state information (e.g. all currently
+# running processes) and real-time changes (e.g. when a new process starts
+# or stops).
+{{ end -}}
+- module: system
+  metricsets:
+    - host    # General host information, e.g. uptime, IPs
+    {{ if false -}}
+    - packages # Installed packages
+    {{- end -}}
+    - process # Started and stopped processes
+    {{ if eq .GOOS "linux" -}}
+    - socket  # Opened and closed sockets
+    - user    # User information
+    {{- end }}
+
+  # How often metricsets send state updates with the
+  # current state of the system (e.g. all currently
+  # running processes, all open sockets).
+  state.period: 12h
+{{ if .Reference }}
+  # The state.period can be overridden for any metricset.
+  # host.state.period: 12h
+  # process.state.period: 12h
+  # socket.state.period: 12h
+  # user.state.period: 12h
+{{ end }}
+  {{ if eq .GOOS "linux" -}}
+  # Enabled by default. Auditbeat will read password fields in
+  # /etc/passwd and /etc/shadow and store a hash locally to
+  # detect any changes.
+  user.detect_password_changes: true
+  {{- end }}
+  {{- if false -}}
+  {{/* Only remaining use in packages, to be removed completely. */}}
+  report_changes: true
+  {{- end -}}
+{{- end }}
diff --git a/x-pack/auditbeat/module/system/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/_meta/docs.asciidoc
new file mode 100644
index 000000000000..e402da99d2ed
--- /dev/null
+++ b/x-pack/auditbeat/module/system/_meta/docs.asciidoc
@@ -0,0 +1,92 @@
+[role="xpack"]
+
+== System Module
+
+experimental[]
+
+The `system` module collects various security related information about
+a system. All metricsets send both periodic state information (e.g. all currently
+running processes) and real-time changes (e.g. when a new process starts
+or stops).
+
+The module is fully implemented for Linux, and partially implemented
+for macOS (Darwin).
+
+[float]
+=== How it works
+
+Each metricset sends two kinds of information: state and events.
+
+State information is sent periodically and on startup (for some metricsets).
+A state update will consist of one event per object that is currently
+active on the system (e.g. a process). All events belonging to the same state
+update will share the same UUID in `event.id`.
+
+The frequency of state updates can be controlled for all metricsets using the
+`state.period` configuration option. Overrides are available per metricset.
+The default is `12h`.
+
+Event information is sent as the events occur (e.g. a process starts or stops).
+All metricsets are currently using a poll model to retrieve their data.
+The frequency of these polls is controlled using the `period` configuration
+parameter.
+
+[float]
+=== Configuration options
+
+This module has some configuration options for controlling its behavior. The
+following example shows all configuration options with their default values for
+Linux.
+
+NOTE: It is recommended to configure some metricsets separately. See below for a
+sample suggested configuration.
+
+[source,yaml]
+----
+- module: system
+  metricsets:
+    - host
+    - process
+    - socket
+    - user
+  period: 10s
+  state.period: 12h
+  user.detect_password_changes: true
+----
+
+*`period`*:: The frequency at which the metricsets check for changes. For most
+metricsets - esp. `process` and `socket` - a shorter period is recommended.
+
+*`state.period`*:: The frequency at which the metricsets send full state information.
+This option can be overridden per metricset using `{metricset}.state.period`.
+
+*`user.detect_password_changes`*:: If the `user` metricset is configured and
+this option is set to `true`, Auditbeat will read password information in `/etc/passwd`
+and `/etc/shadow` to detect password changes. A hash will be kept locally in
+the `beat.db` file to detect changes between Auditbeat restarts. The `beat.db` file
+should be readable only by the root user and be treated similar to the shadow file
+itself.
+
+[float]
+=== Suggested configuration
+
+Processes and sockets can be short-lived, so the chance of missing an update
+increases if the polling interval is too large.
+
+On the other hand, host and user information is unlikely to change frequently,
+so a longer polling interval can be used.
+
+[source,yaml]
+----
+- module: system
+  metricsets:
+    - host
+    - user
+  period: 1m
+  user.detect_password_changes: true
+
+- module: system
+    - process
+    - socket
+  period: 1s
+----
diff --git a/x-pack/auditbeat/module/system/_meta/fields.yml b/x-pack/auditbeat/module/system/_meta/fields.yml
new file mode 100644
index 000000000000..f27178a0931d
--- /dev/null
+++ b/x-pack/auditbeat/module/system/_meta/fields.yml
@@ -0,0 +1,10 @@
+- key: system
+  title: "System"
+  description: >
+    These are the fields generated by the system module.
+  release: experimental
+  fields:
+    - name: system.audit
+      type: group
+      description: >
+      fields:
diff --git a/x-pack/auditbeat/module/system/host/_meta/data.json b/x-pack/auditbeat/module/system/host/_meta/data.json
new file mode 100644
index 000000000000..e0b0818dcae8
--- /dev/null
+++ b/x-pack/auditbeat/module/system/host/_meta/data.json
@@ -0,0 +1,54 @@
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "action": "host",
+        "dataset": "host",
+        "module": "system",
+        "kind": "state"
+    },
+    "message": "Ubuntu host ubuntu-bionic (IP: 10.0.2.15) is up for 0 days, 5 hours, 11 minutes",
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "audit": {
+            "host": {
+                "architecture": "x86_64",
+                "boottime": "2018-12-10T15:48:44Z",
+                "containerized": false,
+                "hostname": "ubuntu-bionic",
+                "id": "6f7be6fb33e6c77f057266415c094408",
+                "ip": [
+                    "10.0.2.15",
+                    "fe80::2d:fdff:fe81:e747",
+                    "172.28.128.3",
+                    "fe80::a00:27ff:fe1f:7160",
+                    "172.17.0.1",
+                    "fe80::42:83ff:febe:1a3a",
+                    "172.18.0.1",
+                    "fe80::42:9eff:fed3:d888"
+                ],
+                "mac": [
+                    "02:2d:fd:81:e7:47",
+                    "08:00:27:1f:71:60",
+                    "02:42:83:be:1a:3a",
+                    "02:42:9e:d3:d8:88"
+                ],
+                "os": {
+                    "family": "debian",
+                    "kernel": "4.15.0-42-generic",
+                    "name": "Ubuntu",
+                    "platform": "ubuntu",
+                    "version": "18.04.1 LTS (Bionic Beaver)"
+                },
+                "timezone.name": "UTC",
+                "timezone.offset.sec": 0,
+                "uptime": 18661357350265
+            }
+        }
+    }
+}
diff --git a/x-pack/auditbeat/module/system/host/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/host/_meta/docs.asciidoc
new file mode 100644
index 000000000000..a8041d169c3d
--- /dev/null
+++ b/x-pack/auditbeat/module/system/host/_meta/docs.asciidoc
@@ -0,0 +1,7 @@
+[role="xpack"]
+
+experimental[]
+
+This is the `host` metricset of the system module.
+
+It is implemented for Linux and macOS (Darwin).
diff --git a/x-pack/auditbeat/module/system/host/_meta/fields.yml b/x-pack/auditbeat/module/system/host/_meta/fields.yml
new file mode 100644
index 000000000000..f6955dc50adf
--- /dev/null
+++ b/x-pack/auditbeat/module/system/host/_meta/fields.yml
@@ -0,0 +1,71 @@
+- name: host
+  type: group
+  description: >
+    `host` contains general host information.
+  release: experimental
+  fields:
+  - name: uptime
+    type: long
+    description: >
+        Uptime in nanoseconds.
+  - name: boottime
+    type: date
+    description: >
+        Boot time.
+  - name: containerized
+    type: boolean
+    description: >
+        Set if host is a container.
+  - name: timezone.name
+    type: keyword
+    description: >
+        Name of the timezone of the host, e.g. BST.
+  - name: timezone.offset.sec
+    type: long
+    description: >
+        Timezone offset in seconds.
+  - name: hostname
+    type: keyword
+    description: >
+        Hostname.
+  - name: id
+    type: keyword
+    description: >
+        Host ID.
+  - name: architecture
+    type: keyword
+    description: >
+        Host architecture (e.g. x86_64).
+  - name: mac
+    type: keyword
+    description: >
+        MAC addresses.
+  - name: ip
+    type: ip
+    description: >
+        IP addresses.
+  - name: os
+    type: group
+    description: >
+      `os` contains information about the operating system.
+    fields:
+    - name: platform
+      type: keyword
+      description: >
+        OS platform (e.g. centos, ubuntu, windows).
+    - name: name
+      type: keyword
+      description: >
+        OS name (e.g. Mac OS X).
+    - name: family
+      type: keyword
+      description: >
+        OS family (e.g. redhat, debian, freebsd, windows).
+    - name: version
+      type: keyword
+      description: >
+        OS version.
+    - name: kernel
+      type: keyword
+      description: >
+        The operating system's kernel version.
diff --git a/x-pack/auditbeat/module/system/host/config.go b/x-pack/auditbeat/module/system/host/config.go
new file mode 100644
index 000000000000..7e4554639c92
--- /dev/null
+++ b/x-pack/auditbeat/module/system/host/config.go
@@ -0,0 +1,28 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package host
+
+import (
+	"time"
+)
+
+// config defines the metricset's configuration options.
+type config struct {
+	StatePeriod     time.Duration `config:"state.period"`
+	HostStatePeriod time.Duration `config:"host.state.period"`
+}
+
+func (c *config) effectiveStatePeriod() time.Duration {
+	if c.HostStatePeriod != 0 {
+		return c.HostStatePeriod
+	}
+	return c.StatePeriod
+}
+
+func defaultConfig() config {
+	return config{
+		StatePeriod: 1 * time.Hour,
+	}
+}
diff --git a/x-pack/auditbeat/module/system/host/host.go b/x-pack/auditbeat/module/system/host/host.go
new file mode 100644
index 000000000000..2b7e2b2817c6
--- /dev/null
+++ b/x-pack/auditbeat/module/system/host/host.go
@@ -0,0 +1,469 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package host
+
+import (
+	"bytes"
+	"encoding/binary"
+	"encoding/gob"
+	"fmt"
+	"io"
+	"math"
+	"net"
+	"strconv"
+	"time"
+
+	"github.com/OneOfOne/xxhash"
+	"github.com/joeshaw/multierror"
+	"github.com/pkg/errors"
+
+	"github.com/elastic/beats/auditbeat/datastore"
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/common/cfgwarn"
+	"github.com/elastic/beats/libbeat/logp"
+	"github.com/elastic/beats/metricbeat/mb"
+	"github.com/elastic/go-sysinfo"
+	"github.com/elastic/go-sysinfo/types"
+)
+
+const (
+	moduleName    = "system"
+	metricsetName = "host"
+	namespace     = "system.audit.host"
+
+	bucketName        = "host.v1"
+	bucketKeyLastHost = "lastHost"
+
+	eventTypeState = "state"
+	eventTypeEvent = "event"
+)
+
+type eventAction uint8
+
+const (
+	eventActionHost eventAction = iota
+	eventActionIDChanged
+	eventActionReboot
+	eventActionHostnameChanged
+	eventActionHostChanged
+)
+
+func (action eventAction) String() string {
+	switch action {
+	case eventActionHost:
+		return "host"
+	case eventActionIDChanged:
+		return "host_id_changed"
+	case eventActionReboot:
+		return "reboot"
+	case eventActionHostnameChanged:
+		return "hostname_changed"
+	case eventActionHostChanged:
+		return "host_changed"
+	default:
+		return ""
+	}
+}
+
+// Host represents information about a host.
+type Host struct {
+	info types.HostInfo
+	// Uptime() in types.HostInfo recalculates the uptime every time it is called -
+	// so storing it permanently here.
+	uptime time.Duration
+	addrs  []net.Addr
+	macs   []net.HardwareAddr
+}
+
+// changeDetectionHash creates a hash of selected parts of the host information.
+// This is used later to detect changes to a host over time.
+func (host *Host) changeDetectionHash() uint64 {
+	h := xxhash.New64()
+
+	if host.info.Containerized != nil {
+		h.WriteString(strconv.FormatBool(*host.info.Containerized))
+	}
+
+	h.WriteString(host.info.Timezone)
+	binary.Write(h, binary.BigEndian, int32(host.info.TimezoneOffsetSec))
+	h.WriteString(host.info.Architecture)
+	h.WriteString(host.info.OS.Platform)
+	h.WriteString(host.info.OS.Name)
+	h.WriteString(host.info.OS.Family)
+	h.WriteString(host.info.OS.Version)
+	h.WriteString(host.info.KernelVersion)
+
+	return h.Sum64()
+}
+
+func (host *Host) toMapStr() common.MapStr {
+	mapstr := common.MapStr{
+		// https://github.com/elastic/ecs#-host-fields
+		"uptime":              host.uptime,
+		"boottime":            host.info.BootTime,
+		"timezone.name":       host.info.Timezone,
+		"timezone.offset.sec": host.info.TimezoneOffsetSec,
+		"hostname":            host.info.Hostname,
+		"id":                  host.info.UniqueID,
+		"architecture":        host.info.Architecture,
+
+		// https://github.com/elastic/ecs#-operating-system-fields
+		"os": common.MapStr{
+			"platform": host.info.OS.Platform,
+			"name":     host.info.OS.Name,
+			"family":   host.info.OS.Family,
+			"version":  host.info.OS.Version,
+			"kernel":   host.info.KernelVersion,
+		},
+	}
+
+	if host.info.Containerized != nil {
+		mapstr.Put("containerized", host.info.Containerized)
+	}
+
+	var ipStrings []string
+	for _, addr := range host.addrs {
+		ipStrings = append(ipStrings, ipString(addr))
+	}
+	mapstr.Put("ip", ipStrings)
+
+	var macStrings []string
+	for _, mac := range host.macs {
+		macStr := mac.String()
+		if macStr != "" {
+			macStrings = append(macStrings, macStr)
+		}
+	}
+	mapstr.Put("mac", macStrings)
+
+	return mapstr
+}
+
+func ipString(addr net.Addr) string {
+	switch v := addr.(type) {
+	case *net.IPNet:
+		return v.IP.String()
+	case *net.IPAddr:
+		return v.IP.String()
+	default:
+		return ""
+	}
+}
+
+func init() {
+	mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
+		mb.DefaultMetricSet(),
+		mb.WithNamespace(namespace),
+	)
+}
+
+// MetricSet collects data about the host.
+type MetricSet struct {
+	mb.BaseMetricSet
+	config    config
+	log       *logp.Logger
+	bucket    datastore.Bucket
+	lastState time.Time
+	lastHost  *Host
+}
+
+// New constructs a new MetricSet.
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+	cfgwarn.Experimental("The %v/%v dataset is experimental", moduleName, metricsetName)
+
+	config := defaultConfig()
+	if err := base.Module().UnpackConfig(&config); err != nil {
+		return nil, errors.Wrapf(err, "failed to unpack the %v/%v config", moduleName, metricsetName)
+	}
+
+	bucket, err := datastore.OpenBucket(bucketName)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to open persistent datastore")
+	}
+
+	ms := &MetricSet{
+		BaseMetricSet: base,
+		config:        config,
+		log:           logp.NewLogger(moduleName),
+		bucket:        bucket,
+	}
+
+	// Load state (lastHost) from disk
+	err = ms.restoreStateFromDisk()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to restore state from disk")
+	}
+
+	return ms, nil
+}
+
+// Close cleans up the MetricSet when it finishes.
+func (ms *MetricSet) Close() error {
+	return ms.saveStateToDisk()
+}
+
+// Fetch collects data about the host. It is invoked periodically.
+func (ms *MetricSet) Fetch(report mb.ReporterV2) {
+	needsStateUpdate := time.Since(ms.lastState) > ms.config.effectiveStatePeriod()
+	if needsStateUpdate {
+		ms.log.Debug("State update needed.")
+		err := ms.reportState(report)
+		if err != nil {
+			ms.log.Error(err)
+			report.Error(err)
+		}
+		ms.log.Debugf("Next state update by %v", ms.lastState.Add(ms.config.effectiveStatePeriod()))
+	}
+
+	err := ms.reportChanges(report)
+	if err != nil {
+		ms.log.Error(err)
+		report.Error(err)
+	}
+}
+
+// reportState reports the current state of the host.
+func (ms *MetricSet) reportState(report mb.ReporterV2) error {
+	ms.lastState = time.Now()
+
+	host, err := getHost()
+	if err != nil {
+		return err
+	}
+
+	report.Event(hostEvent(host, eventTypeState, eventActionHost))
+
+	return nil
+}
+
+// reportChanges detects and reports any changes to this host since the last call.
+func (ms *MetricSet) reportChanges(report mb.ReporterV2) error {
+	currentHost, err := getHost()
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		ms.lastHost = currentHost
+	}()
+
+	if ms.lastHost == nil {
+		// First run - no changes possible
+		return nil
+	}
+
+	var events []mb.Event
+
+	// Report ID changes as a separate, special event.
+	if ms.lastHost.info.UniqueID != currentHost.info.UniqueID {
+		/*
+		 Issue two events - one for the host with the old ID, one for the new
+		 - to link them (since the unique ID is what identifies a host).
+		*/
+		eventOldHost := hostEvent(ms.lastHost, eventTypeEvent, eventActionIDChanged)
+		eventOldHost.MetricSetFields.Put("new_id", currentHost.info.UniqueID)
+		events = append(events, eventOldHost)
+
+		eventNewHost := hostEvent(currentHost, eventTypeEvent, eventActionIDChanged)
+		eventNewHost.MetricSetFields.Put("old_id", ms.lastHost.info.UniqueID)
+		events = append(events, eventNewHost)
+	}
+
+	// Report reboots separately
+	if !currentHost.info.BootTime.Equal(ms.lastHost.info.BootTime) {
+		events = append(events, hostEvent(currentHost, eventTypeEvent, eventActionReboot))
+	}
+
+	// Report hostname changes separately
+	if currentHost.info.Hostname != ms.lastHost.info.Hostname {
+		events = append(events, hostEvent(currentHost, eventTypeEvent, eventActionHostnameChanged))
+	}
+
+	// Report any other changes.
+	if ms.lastHost.changeDetectionHash() != currentHost.changeDetectionHash() {
+		events = append(events, hostEvent(currentHost, eventTypeEvent, eventActionHostChanged))
+	}
+
+	for _, event := range events {
+		report.Event(event)
+	}
+
+	if len(events) > 0 {
+		ms.saveStateToDisk()
+	}
+
+	return nil
+}
+
+func getHost() (*Host, error) {
+	sysinfoHost, err := sysinfo.Host()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to load host information")
+	}
+
+	addrs, macs, err := getNetInfo()
+	if err != nil {
+		return nil, err
+	}
+
+	host := &Host{
+		info:   sysinfoHost.Info(),
+		uptime: sysinfoHost.Info().Uptime(),
+		addrs:  addrs,
+		macs:   macs,
+	}
+
+	return host, nil
+}
+
+func hostEvent(host *Host, eventType string, action eventAction) mb.Event {
+	return mb.Event{
+		RootFields: common.MapStr{
+			"event": common.MapStr{
+				"kind":   eventType,
+				"action": action.String(),
+			},
+			"message": hostMessage(host, action),
+		},
+		MetricSetFields: host.toMapStr(),
+	}
+}
+
+func hostMessage(host *Host, action eventAction) string {
+	var firstIP string
+	if len(host.addrs) > 0 {
+		firstIP = ipString(host.addrs[0])
+	}
+
+	// Hostname + IP of the first non-loopback interface.
+	hostString := fmt.Sprintf("%v (IP: %v)", host.info.Hostname, firstIP)
+
+	var message string
+	switch action {
+	case eventActionHost:
+		message = fmt.Sprintf("%v host %v is up for %v",
+			host.info.OS.Name, hostString, fmtDuration(host.uptime))
+	case eventActionIDChanged:
+		message = fmt.Sprintf("ID of host %v has changed", hostString)
+	case eventActionReboot:
+		message = fmt.Sprintf("Host %v restarted", hostString)
+	case eventActionHostnameChanged:
+		message = fmt.Sprintf("Hostname changed to %v", hostString)
+	case eventActionHostChanged:
+		message = fmt.Sprintf("Host %v changed", hostString)
+	}
+
+	return message
+}
+
+func fmtDuration(d time.Duration) string {
+	const dayMinutes = 60 * 24
+
+	remainingMinutes := math.Floor(d.Minutes())
+	days := math.Floor(remainingMinutes / dayMinutes)
+
+	remainingMinutes -= days * dayMinutes
+	hours := math.Floor(remainingMinutes / 60)
+
+	remainingMinutes -= hours * 60
+	minutes := math.Floor(remainingMinutes)
+
+	return fmt.Sprintf("%.f %v, %.f %v, %.f %v",
+		days, inflect("day", int(days)),
+		hours, inflect("hour", int(hours)),
+		minutes, inflect("minute", int(minutes)))
+}
+
+func inflect(noun string, count int) string {
+	if count == 1 {
+		return noun
+	}
+	return noun + "s"
+}
+
+func (ms *MetricSet) saveStateToDisk() error {
+	var buf bytes.Buffer
+	encoder := gob.NewEncoder(&buf)
+	err := encoder.Encode(*ms.lastHost)
+	if err != nil {
+		return errors.Wrap(err, "error encoding host information")
+	}
+
+	err = ms.bucket.Store(bucketKeyLastHost, buf.Bytes())
+	if err != nil {
+		return errors.Wrap(err, "error writing host information to disk")
+	}
+
+	ms.log.Debug("Wrote host information to disk.")
+	return nil
+}
+
+func (ms *MetricSet) restoreStateFromDisk() error {
+	var decoder *gob.Decoder
+	err := ms.bucket.Load(bucketKeyLastHost, func(blob []byte) error {
+		if len(blob) > 0 {
+			buf := bytes.NewBuffer(blob)
+			decoder = gob.NewDecoder(buf)
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	if decoder != nil {
+		var lastHost Host
+		err = decoder.Decode(&lastHost)
+		if err == nil {
+			ms.lastHost = &lastHost
+		} else if err != io.EOF {
+			return errors.Wrap(err, "error decoding host information")
+		}
+	}
+
+	if ms.lastHost != nil {
+		ms.log.Debug("Restored last host information from disk.")
+	} else {
+		ms.log.Debug("No last host information found on disk.")
+	}
+
+	return nil
+}
+
+// getNetInfo is originally copied from libbeat/processors/add_host_metadata.go.
+// TODO: Maybe these two can share an implementation?
+func getNetInfo() ([]net.Addr, []net.HardwareAddr, error) {
+	var addrList []net.Addr
+	var hwList []net.HardwareAddr
+
+	// Get all interfaces and loop through them
+	ifaces, err := net.Interfaces()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Keep track of all errors
+	var errs multierror.Errors
+
+	for _, i := range ifaces {
+		// Skip loopback interfaces
+		if i.Flags&net.FlagLoopback == net.FlagLoopback {
+			continue
+		}
+
+		hwList = append(hwList, i.HardwareAddr)
+
+		addrs, err := i.Addrs()
+		if err != nil {
+			// If we get an error, keep track of it and continue with the next interface
+			errs = append(errs, err)
+			continue
+		}
+
+		addrList = append(addrList, addrs...)
+	}
+
+	return addrList, hwList, errs.Err()
+}
diff --git a/x-pack/auditbeat/module/system/host/host_test.go b/x-pack/auditbeat/module/system/host/host_test.go
new file mode 100644
index 000000000000..11e2ff999768
--- /dev/null
+++ b/x-pack/auditbeat/module/system/host/host_test.go
@@ -0,0 +1,32 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package host
+
+import (
+	"testing"
+
+	"github.com/elastic/beats/auditbeat/core"
+	mbtest "github.com/elastic/beats/metricbeat/mb/testing"
+)
+
+func TestData(t *testing.T) {
+	f := mbtest.NewReportingMetricSetV2(t, getConfig())
+	events, errs := mbtest.ReportingFetchV2(f)
+	if len(errs) > 0 {
+		t.Fatalf("received error: %+v", errs[0])
+	}
+	if len(events) == 0 {
+		t.Fatal("no events were generated")
+	}
+	fullEvent := mbtest.StandardizeEvent(f, events[0], core.AddDatasetToEvent)
+	mbtest.WriteEventToDataJSON(t, fullEvent, "")
+}
+
+func getConfig() map[string]interface{} {
+	return map[string]interface{}{
+		"module":     "system",
+		"metricsets": []string{"host"},
+	}
+}
diff --git a/x-pack/auditbeat/module/system/packages/_meta/data.json b/x-pack/auditbeat/module/system/packages/_meta/data.json
new file mode 100644
index 000000000000..36bbb2fd0bac
--- /dev/null
+++ b/x-pack/auditbeat/module/system/packages/_meta/data.json
@@ -0,0 +1,30 @@
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "beat": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "metricset": {
+        "module": "system",
+        "name": "packages",
+        "rtt": 115
+    },
+    "system": {
+        "packages": {
+            "package": [
+                {
+                    "arch": "amd64",
+                    "installtime": "0001-01-01T00:00:00Z",
+                    "license": "",
+                    "name": "vim-tiny",
+                    "release": "",
+                    "size": 1271,
+                    "status": "installed",
+                    "summary": "Vi IMproved - enhanced vi editor - compact version",
+                    "url": "",
+                    "version": "2:8.0.1453-1ubuntu1"
+                }
+            ]
+        }
+    }
+}
diff --git a/x-pack/auditbeat/module/system/packages/_meta/docs.asciidoc.disabled b/x-pack/auditbeat/module/system/packages/_meta/docs.asciidoc.disabled
new file mode 100644
index 000000000000..a2f70162151f
--- /dev/null
+++ b/x-pack/auditbeat/module/system/packages/_meta/docs.asciidoc.disabled
@@ -0,0 +1,8 @@
+The System `packages` metricset provides ... TODO.
+
+The module is implemented for Linux, macOS (Darwin), and Windows.
+
+[float]
+=== Configuration options
+
+TODO
diff --git a/x-pack/auditbeat/module/system/packages/_meta/fields.yml.disabled b/x-pack/auditbeat/module/system/packages/_meta/fields.yml.disabled
new file mode 100644
index 000000000000..f57093bc150d
--- /dev/null
+++ b/x-pack/auditbeat/module/system/packages/_meta/fields.yml.disabled
@@ -0,0 +1,50 @@
+- name: packages
+  type: group
+  description: >
+    `packages` contains information about installed packages.
+  release: experimental
+  fields:
+  - name: package
+    type: array
+    description: >
+        One or more packages.
+    fields:
+    - name: status
+      type: keyword
+      description: >
+        Package change - `new`, `installed` or `removed`.
+    - name: package.name
+      type: keyword
+      description: >
+        Package name.
+    - name: package.version
+      type: keyword
+      description: >
+        Package version.
+    - name: package.release
+      type: keyword
+      description: >
+        Package release.
+    - name: package.arch
+      type: keyword
+      description: >
+        Package architecture.
+    - name: package.license
+      type: keyword
+      description: >
+        Package license.
+    - name: package.installtime
+      type: date
+      description: >
+        Package install time.
+    - name: package.size
+      type: long
+      description: >
+        Package size.
+    - name: package.summary
+      description: >
+        Package summary.
+    - name: package.url
+      type: keyword
+      description: >
+        Package URL.
diff --git a/x-pack/auditbeat/module/system/packages/config.go b/x-pack/auditbeat/module/system/packages/config.go
new file mode 100644
index 000000000000..05fdce2fcb16
--- /dev/null
+++ b/x-pack/auditbeat/module/system/packages/config.go
@@ -0,0 +1,19 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package packages
+
+// Config defines the host metricset's configuration options.
+type Config struct {
+	ReportChanges bool `config:"packages.report_changes"`
+}
+
+// Validate validates the host metricset config.
+func (c *Config) Validate() error {
+	return nil
+}
+
+var defaultConfig = Config{
+	ReportChanges: true,
+}
diff --git a/x-pack/auditbeat/module/system/packages/packages.go b/x-pack/auditbeat/module/system/packages/packages.go
new file mode 100644
index 000000000000..6cb0216b249b
--- /dev/null
+++ b/x-pack/auditbeat/module/system/packages/packages.go
@@ -0,0 +1,338 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package packages
+
+import (
+	"bufio"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/common/cfgwarn"
+	"github.com/elastic/beats/metricbeat/mb"
+	"github.com/elastic/beats/x-pack/auditbeat/cache"
+	"github.com/elastic/go-sysinfo/types"
+
+	"github.com/OneOfOne/xxhash"
+
+	"github.com/elastic/beats/libbeat/logp"
+	"github.com/elastic/go-sysinfo"
+)
+
+const (
+	moduleName    = "system"
+	metricsetName = "packages"
+	//namespace     = "system.audit.packages"
+
+	redhat = "redhat"
+	debian = "debian"
+	darwin = "darwin"
+)
+
+func init() {
+	/*mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
+		mb.DefaultMetricSet(),
+		mb.WithNamespace(namespace),
+	)*/
+}
+
+// MetricSet collects data about the host.
+type MetricSet struct {
+	mb.BaseMetricSet
+	config   Config
+	osFamily string
+	cache    *cache.Cache
+	log      *logp.Logger
+}
+
+// Package represents information for a package.
+type Package struct {
+	Name        string
+	Version     string
+	Release     string
+	Arch        string
+	License     string
+	InstallTime time.Time
+	Size        uint64
+	Summary     string
+	URL         string
+}
+
+// Hash creates a hash for Package.
+func (pkg Package) Hash() uint64 {
+	h := xxhash.New64()
+	h.WriteString(pkg.Name)
+	h.WriteString(pkg.InstallTime.String())
+	return h.Sum64()
+}
+
+func (pkg Package) toMapStr() common.MapStr {
+	return common.MapStr{
+		"name":        pkg.Name,
+		"version":     pkg.Version,
+		"release":     pkg.Release,
+		"arch":        pkg.Arch,
+		"license":     pkg.License,
+		"installtime": pkg.InstallTime,
+		"size":        pkg.Size,
+		"summary":     pkg.Summary,
+		"url":         pkg.URL,
+	}
+}
+
+func getOS() (*types.OSInfo, error) {
+	host, err := sysinfo.Host()
+	if err != nil {
+		return nil, errors.Wrap(err, "error getting the OS")
+	}
+
+	hostInfo := host.Info()
+	if hostInfo.OS == nil {
+		return nil, errors.New("no host info")
+	}
+
+	return hostInfo.OS, nil
+}
+
+// New constructs a new MetricSet.
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+	cfgwarn.Experimental("The %v/%v dataset is experimental", moduleName, metricsetName)
+
+	config := defaultConfig
+	if err := base.Module().UnpackConfig(&config); err != nil {
+		return nil, errors.Wrapf(err, "failed to unpack the %v/%v config", moduleName, metricsetName)
+	}
+
+	ms := &MetricSet{
+		BaseMetricSet: base,
+		config:        config,
+		log:           logp.NewLogger(moduleName),
+	}
+
+	if os, err := getOS(); err == nil {
+		switch os.Family {
+		case redhat, debian, darwin:
+			ms.osFamily = os.Family
+		default:
+			return nil, fmt.Errorf("this metricset does not support OS family %v", os.Family)
+		}
+	} else if err != nil {
+		return nil, err
+	}
+
+	if config.ReportChanges {
+		ms.cache = cache.New()
+	}
+
+	return ms, nil
+}
+
+// Fetch collects data about the host. It is invoked periodically.
+func (ms *MetricSet) Fetch(report mb.ReporterV2) {
+	packages, err := getPackages(ms.osFamily)
+	if err != nil {
+		ms.log.Error(err)
+		report.Error(err)
+		return
+	}
+
+	if ms.cache != nil && !ms.cache.IsEmpty() {
+		installed, removed := ms.cache.DiffAndUpdateCache(convertToCacheable(packages))
+
+		for _, pkgInfo := range installed {
+			pkgInfoMapStr := pkgInfo.(*Package).toMapStr()
+			pkgInfoMapStr.Put("status", "new")
+
+			report.Event(mb.Event{
+				MetricSetFields: common.MapStr{
+					"package": pkgInfoMapStr,
+				},
+			})
+		}
+
+		for _, pkgInfo := range removed {
+			pkgInfoMapStr := pkgInfo.(*Package).toMapStr()
+			pkgInfoMapStr.Put("status", "removed")
+
+			report.Event(mb.Event{
+				MetricSetFields: common.MapStr{
+					"package": pkgInfoMapStr,
+				},
+			})
+		}
+	} else {
+		// Report all installed packages
+		var pkgInfos []common.MapStr
+
+		for _, pkgInfo := range packages {
+			pkgInfoMapStr := pkgInfo.toMapStr()
+			pkgInfoMapStr.Put("status", "installed")
+
+			pkgInfos = append(pkgInfos, pkgInfoMapStr)
+		}
+
+		report.Event(mb.Event{
+			MetricSetFields: common.MapStr{
+				"package": pkgInfos,
+			},
+		})
+
+		if ms.cache != nil {
+			// This will initialize the cache with the current packages
+			ms.cache.DiffAndUpdateCache(convertToCacheable(packages))
+		}
+	}
+}
+
+func convertToCacheable(packages []*Package) []cache.Cacheable {
+	c := make([]cache.Cacheable, 0, len(packages))
+
+	for _, p := range packages {
+		c = append(c, p)
+	}
+
+	return c
+}
+
+func getPackages(osFamily string) (packages []*Package, err error) {
+	switch osFamily {
+	case redhat:
+		// TODO: Implement RPM
+		err = errors.New("RPM not yet supported")
+	case debian:
+		packages, err = listDebPackages()
+		if err != nil {
+			err = errors.Wrap(err, "error getting DEB packages")
+		}
+	case darwin:
+		packages, err = listBrewPackages()
+		if err != nil {
+			err = errors.Wrap(err, "error getting Homebrew packages")
+		}
+	default:
+		panic("unknown OS - this should not have happened")
+	}
+
+	return
+}
+
+func listDebPackages() ([]*Package, error) {
+	const statusFile = "/var/lib/dpkg/status"
+	file, err := os.Open(statusFile)
+	if err != nil {
+		return nil, errors.Wrapf(err, "error opening '%s'", statusFile)
+	}
+	defer file.Close()
+
+	var packages []*Package
+	pkg := &Package{}
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if len(strings.TrimSpace(line)) == 0 {
+			// empty line signals new package
+			packages = append(packages, pkg)
+			pkg = &Package{}
+			continue
+		}
+		if strings.HasPrefix(line, " ") {
+			// not interested in multi-lines for now
+			continue
+		}
+		words := strings.SplitN(line, ":", 2)
+		if len(words) != 2 {
+			return nil, fmt.Errorf("the following line was unexpected (no ':' found): '%s'", line)
+		}
+		value := strings.TrimSpace(words[1])
+		switch strings.ToLower(words[0]) {
+		case "package":
+			pkg.Name = value
+		case "architecture":
+			pkg.Arch = value
+		case "version":
+			pkg.Version = value
+		case "description":
+			pkg.Summary = value
+		case "installed-size":
+			pkg.Size, err = strconv.ParseUint(value, 10, 64)
+			if err != nil {
+				return nil, errors.Wrapf(err, "error converting %s to int", value)
+			}
+		default:
+			continue
+		}
+	}
+	if err = scanner.Err(); err != nil {
+		return nil, errors.Wrap(err, "error scanning file")
+	}
+	return packages, nil
+}
+
+func listBrewPackages() ([]*Package, error) {
+	const cellarPath = "/usr/local/Cellar"
+
+	packageDirs, err := ioutil.ReadDir(cellarPath)
+	if os.IsNotExist(err) {
+		return nil, errors.Wrapf(err, "%s does not exist - is Homebrew installed?", cellarPath)
+	} else if err != nil {
+		return nil, errors.Wrapf(err, "error reading directory %s", cellarPath)
+	}
+
+	var packages []*Package
+	for _, packageDir := range packageDirs {
+		if !packageDir.IsDir() {
+			continue
+		}
+		pkgPath := path.Join(cellarPath, packageDir.Name())
+		versions, err := ioutil.ReadDir(pkgPath)
+		if err != nil {
+			return nil, errors.Wrapf(err, "error reading directory: %s", pkgPath)
+		}
+
+		for _, version := range versions {
+			if !version.IsDir() {
+				continue
+			}
+			pkg := &Package{
+				Name:        packageDir.Name(),
+				Version:     version.Name(),
+				InstallTime: version.ModTime(),
+			}
+
+			// read formula
+			formulaPath := path.Join(cellarPath, pkg.Name, pkg.Version, ".brew", pkg.Name+".rb")
+			file, err := os.Open(formulaPath)
+			if err != nil {
+				//fmt.Printf("WARNING: Can't get formula for package %s-%s\n", pkg.Name, pkg.Version)
+				// TODO: follow the path from INSTALL_RECEIPT.json to find the formula
+				continue
+			}
+			scanner := bufio.NewScanner(file)
+			count := 15 // only look into the first few lines of the formula
+			for scanner.Scan() {
+				count--
+				if count == 0 {
+					break
+				}
+				line := scanner.Text()
+				if strings.HasPrefix(line, "  desc ") {
+					pkg.Summary = strings.Trim(line[7:], " \"")
+				} else if strings.HasPrefix(line, "  homepage ") {
+					pkg.URL = strings.Trim(line[11:], " \"")
+				}
+			}
+
+			packages = append(packages, pkg)
+		}
+	}
+	return packages, nil
+}
diff --git a/x-pack/auditbeat/module/system/packages/packages_test.go b/x-pack/auditbeat/module/system/packages/packages_test.go
new file mode 100644
index 000000000000..67d17dff7655
--- /dev/null
+++ b/x-pack/auditbeat/module/system/packages/packages_test.go
@@ -0,0 +1,28 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package packages
+
+import (
+	"testing"
+
+	mbtest "github.com/elastic/beats/metricbeat/mb/testing"
+)
+
+func TestData(t *testing.T) {
+	t.Skip("Packages metricset is disabled")
+
+	f := mbtest.NewReportingMetricSetV2(t, getConfig())
+	err := mbtest.WriteEventsReporterV2(f, t, "")
+	if err != nil {
+		t.Fatal("write", err)
+	}
+}
+
+func getConfig() map[string]interface{} {
+	return map[string]interface{}{
+		"module":     "system",
+		"metricsets": []string{"packages"},
+	}
+}
diff --git a/x-pack/auditbeat/module/system/process/_meta/data.json b/x-pack/auditbeat/module/system/process/_meta/data.json
new file mode 100644
index 000000000000..810a310ad728
--- /dev/null
+++ b/x-pack/auditbeat/module/system/process/_meta/data.json
@@ -0,0 +1,29 @@
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "action": "existing_process",
+        "dataset": "process",
+        "id": "5795d53b-f7c2-463c-9c04-f316ae876d51",
+        "module": "system",
+        "kind": "state"
+    },
+    "message": "Process zsh (PID: 2363) is RUNNING",
+    "process": {
+        "args": [
+            "/usr/bin/zsh"
+        ],
+        "executable": "/bin/zsh",
+        "name": "zsh",
+        "pid": 2363,
+        "ppid": 2362,
+        "start": "2018-12-10T16:36:25.21Z",
+        "working_directory": "/home/elastic"
+    },
+    "service": {
+        "type": "system"
+    }
+}
diff --git a/x-pack/auditbeat/module/system/process/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/process/_meta/docs.asciidoc
new file mode 100644
index 000000000000..8aea28521556
--- /dev/null
+++ b/x-pack/auditbeat/module/system/process/_meta/docs.asciidoc
@@ -0,0 +1,7 @@
+[role="xpack"]
+
+experimental[]
+
+This is the `process` metricset of the system module.
+
+It is implemented for Linux and macOS (Darwin).
diff --git a/x-pack/auditbeat/module/system/process/config.go b/x-pack/auditbeat/module/system/process/config.go
new file mode 100644
index 000000000000..0cdeb737ad73
--- /dev/null
+++ b/x-pack/auditbeat/module/system/process/config.go
@@ -0,0 +1,31 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package process
+
+import (
+	"time"
+)
+
+// Config defines the host metricset's configuration options.
+type Config struct {
+	StatePeriod        time.Duration `config:"state.period"`
+	ProcessStatePeriod time.Duration `config:"process.state.period"`
+}
+
+// Validate validates the host metricset config.
+func (c *Config) Validate() error {
+	return nil
+}
+
+func (c *Config) effectiveStatePeriod() time.Duration {
+	if c.ProcessStatePeriod != 0 {
+		return c.ProcessStatePeriod
+	}
+	return c.StatePeriod
+}
+
+var defaultConfig = Config{
+	StatePeriod: 12 * time.Hour,
+}
diff --git a/x-pack/auditbeat/module/system/process/process.go b/x-pack/auditbeat/module/system/process/process.go
new file mode 100644
index 000000000000..1ad13966f9b0
--- /dev/null
+++ b/x-pack/auditbeat/module/system/process/process.go
@@ -0,0 +1,326 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package process
+
+import (
+	"fmt"
+	"os"
+	"runtime"
+	"strconv"
+	"time"
+
+	"github.com/OneOfOne/xxhash"
+	"github.com/gofrs/uuid"
+	"github.com/pkg/errors"
+
+	"github.com/elastic/beats/auditbeat/datastore"
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/common/cfgwarn"
+	"github.com/elastic/beats/libbeat/logp"
+	"github.com/elastic/beats/libbeat/metric/system/process"
+	"github.com/elastic/beats/metricbeat/mb"
+	"github.com/elastic/beats/x-pack/auditbeat/cache"
+	"github.com/elastic/go-sysinfo"
+	"github.com/elastic/go-sysinfo/types"
+)
+
+const (
+	moduleName    = "system"
+	metricsetName = "process"
+	namespace     = "system.audit.process"
+
+	bucketName              = "auditbeat.process.v1"
+	bucketKeyStateTimestamp = "state_timestamp"
+
+	eventTypeState = "state"
+	eventTypeEvent = "event"
+)
+
+type eventAction uint8
+
+const (
+	eventActionExistingProcess eventAction = iota
+	eventActionProcessStarted
+	eventActionProcessStopped
+)
+
+func (action eventAction) String() string {
+	switch action {
+	case eventActionExistingProcess:
+		return "existing_process"
+	case eventActionProcessStarted:
+		return "process_started"
+	case eventActionProcessStopped:
+		return "process_stopped"
+	default:
+		return ""
+	}
+}
+
+func init() {
+	mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
+		mb.DefaultMetricSet(),
+		mb.WithNamespace(namespace),
+	)
+}
+
+// MetricSet collects data about the host.
+type MetricSet struct {
+	mb.BaseMetricSet
+	config    Config
+	cache     *cache.Cache
+	log       *logp.Logger
+	bucket    datastore.Bucket
+	lastState time.Time
+
+	suppressPermissionWarnings bool
+}
+
+// ProcessInfo wraps the process information and implements cache.Cacheable.
+type ProcessInfo struct {
+	types.ProcessInfo
+}
+
+// Hash creates a hash for ProcessInfo.
+func (pInfo ProcessInfo) Hash() uint64 {
+	h := xxhash.New64()
+	h.WriteString(strconv.Itoa(pInfo.PID))
+	h.WriteString(pInfo.StartTime.String())
+	return h.Sum64()
+}
+
+func (pInfo ProcessInfo) toMapStr() common.MapStr {
+	return common.MapStr{
+		// https://github.com/elastic/ecs#-process-fields
+		"name":              pInfo.Name,
+		"args":              pInfo.Args,
+		"pid":               pInfo.PID,
+		"ppid":              pInfo.PPID,
+		"working_directory": pInfo.CWD,
+		"executable":        pInfo.Exe,
+		"start":             pInfo.StartTime,
+	}
+}
+
+// New constructs a new MetricSet.
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+	cfgwarn.Experimental("The %v/%v dataset is experimental", moduleName, metricsetName)
+
+	config := defaultConfig
+	if err := base.Module().UnpackConfig(&config); err != nil {
+		return nil, errors.Wrapf(err, "failed to unpack the %v/%v config", moduleName, metricsetName)
+	}
+
+	bucket, err := datastore.OpenBucket(bucketName)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to open persistent datastore")
+	}
+
+	ms := &MetricSet{
+		BaseMetricSet: base,
+		config:        config,
+		log:           logp.NewLogger(metricsetName),
+		cache:         cache.New(),
+		bucket:        bucket,
+	}
+
+	// Load from disk: Time when state was last sent
+	err = bucket.Load(bucketKeyStateTimestamp, func(blob []byte) error {
+		if len(blob) > 0 {
+			return ms.lastState.UnmarshalBinary(blob)
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	if !ms.lastState.IsZero() {
+		ms.log.Debugf("Last state was sent at %v. Next state update by %v.", ms.lastState, ms.lastState.Add(ms.config.effectiveStatePeriod()))
+	} else {
+		ms.log.Debug("No state timestamp found")
+	}
+
+	return ms, nil
+}
+
+// Close cleans up the MetricSet when it finishes.
+func (ms *MetricSet) Close() error {
+	if ms.bucket != nil {
+		return ms.bucket.Close()
+	}
+	return nil
+}
+
+// Fetch collects process information. It is invoked periodically.
+func (ms *MetricSet) Fetch(report mb.ReporterV2) {
+	needsStateUpdate := time.Since(ms.lastState) > ms.config.effectiveStatePeriod()
+	if needsStateUpdate || ms.cache.IsEmpty() {
+		ms.log.Debugf("State update needed (needsStateUpdate=%v, cache.IsEmpty()=%v)", needsStateUpdate, ms.cache.IsEmpty())
+		err := ms.reportState(report)
+		if err != nil {
+			ms.log.Error(err)
+			report.Error(err)
+		}
+		ms.log.Debugf("Next state update by %v", ms.lastState.Add(ms.config.effectiveStatePeriod()))
+	}
+
+	err := ms.reportChanges(report)
+	if err != nil {
+		ms.log.Error(err)
+		report.Error(err)
+	}
+}
+
+// reportState reports all running processes on the system.
+func (ms *MetricSet) reportState(report mb.ReporterV2) error {
+	// Only update lastState if this state update was regularly scheduled,
+	// i.e. not caused by an Auditbeat restart (when the cache would be empty).
+	if !ms.cache.IsEmpty() {
+		ms.lastState = time.Now()
+	}
+
+	processInfos, err := ms.getProcessInfos()
+	if err != nil {
+		return errors.Wrap(err, "failed to get process infos")
+	}
+	ms.log.Debugf("Found %v processes", len(processInfos))
+
+	stateID, err := uuid.NewV4()
+	if err != nil {
+		return errors.Wrap(err, "error generating state ID")
+	}
+	for _, pInfo := range processInfos {
+		event := processEvent(pInfo, eventTypeState, eventActionExistingProcess)
+		event.RootFields.Put("event.id", stateID.String())
+		report.Event(event)
+	}
+
+	if ms.cache != nil {
+		// This will initialize the cache with the current processes
+		ms.cache.DiffAndUpdateCache(convertToCacheable(processInfos))
+	}
+
+	// Save time so we know when to send the state again (config.StatePeriod)
+	timeBytes, err := ms.lastState.MarshalBinary()
+	if err != nil {
+		return err
+	}
+	err = ms.bucket.Store(bucketKeyStateTimestamp, timeBytes)
+	if err != nil {
+		return errors.Wrap(err, "error writing state timestamp to disk")
+	}
+
+	return nil
+}
+
+// reportChanges detects and reports any changes to processes on this system since the last call.
+func (ms *MetricSet) reportChanges(report mb.ReporterV2) error {
+	processInfos, err := ms.getProcessInfos()
+	if err != nil {
+		return errors.Wrap(err, "failed to get process infos")
+	}
+	ms.log.Debugf("Found %v processes", len(processInfos))
+
+	started, stopped := ms.cache.DiffAndUpdateCache(convertToCacheable(processInfos))
+
+	for _, pInfo := range started {
+		report.Event(processEvent(pInfo.(*ProcessInfo), eventTypeEvent, eventActionProcessStarted))
+	}
+
+	for _, pInfo := range stopped {
+		report.Event(processEvent(pInfo.(*ProcessInfo), eventTypeEvent, eventActionProcessStopped))
+	}
+
+	return nil
+}
+
+func processEvent(pInfo *ProcessInfo, eventType string, action eventAction) mb.Event {
+	return mb.Event{
+		RootFields: common.MapStr{
+			"event": common.MapStr{
+				"kind":   eventType,
+				"action": action.String(),
+			},
+			"process": pInfo.toMapStr(),
+			"message": processMessage(pInfo, action),
+		},
+	}
+}
+
+func processMessage(pInfo *ProcessInfo, action eventAction) string {
+	var actionString string
+	switch action {
+	case eventActionProcessStarted:
+		actionString = "STARTED"
+	case eventActionProcessStopped:
+		actionString = "STOPPED"
+	case eventActionExistingProcess:
+		actionString = "is RUNNING"
+	}
+
+	return fmt.Sprintf("Process %v (PID: %d) %v",
+		pInfo.Name, pInfo.PID, actionString)
+}
+
+func convertToCacheable(processInfos []*ProcessInfo) []cache.Cacheable {
+	c := make([]cache.Cacheable, 0, len(processInfos))
+
+	for _, p := range processInfos {
+		c = append(c, p)
+	}
+
+	return c
+}
+
+func (ms *MetricSet) getProcessInfos() ([]*ProcessInfo, error) {
+	// TODO: Implement Processes() in go-sysinfo
+	// e.g. https://github.com/elastic/go-sysinfo/blob/master/providers/darwin/process_darwin_amd64.go#L41
+	pids, err := process.Pids()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to fetch the list of PIDs")
+	}
+
+	var processInfos []*ProcessInfo
+
+	for _, pid := range pids {
+		process, err := sysinfo.Process(pid)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to load process")
+		}
+
+		pInfo, err := process.Info()
+		if err != nil {
+			if os.Geteuid() != 0 {
+				if os.IsPermission(err) || runtime.GOOS == "darwin" {
+					/*
+						Running as non-root, permission issues when trying to access other user's private
+						process information are expected.
+
+						Unfortunately, for darwin os.IsPermission() does not
+						work because it is a custom error created using errors.New() in
+						getProcTaskAllInfo() in go-sysinfo/providers/darwin/process_darwin_amd64.go
+
+						TODO: Fix go-sysinfo to have better error for darwin.
+					*/
+					if !ms.suppressPermissionWarnings {
+						ms.log.Warnf("Failed to load process information for PID %d as non-root user. "+
+							"Will suppress further errors of this kind. Error: %v", pid, err)
+
+						// Only warn once at the start of Auditbeat.
+						ms.suppressPermissionWarnings = true
+					}
+
+					continue
+				}
+			}
+
+			return nil, errors.Wrap(err, "failed to load process information")
+		}
+
+		processInfos = append(processInfos, &ProcessInfo{pInfo})
+	}
+
+	return processInfos, nil
+}
diff --git a/x-pack/auditbeat/module/system/process/process_test.go b/x-pack/auditbeat/module/system/process/process_test.go
new file mode 100644
index 000000000000..0e0675bc924e
--- /dev/null
+++ b/x-pack/auditbeat/module/system/process/process_test.go
@@ -0,0 +1,37 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package process
+
+import (
+	"testing"
+
+	"github.com/elastic/beats/auditbeat/core"
+	mbtest "github.com/elastic/beats/metricbeat/mb/testing"
+)
+
+func TestData(t *testing.T) {
+	f := mbtest.NewReportingMetricSetV2(t, getConfig())
+	events, errs := mbtest.ReportingFetchV2(f)
+	if len(errs) > 0 {
+		t.Fatalf("received error: %+v", errs[0])
+	}
+
+	if len(events) == 0 {
+		t.Fatal("no events were generated")
+	}
+
+	// The first process (events[0]) is usually something like systemd,
+	// the last few are test processes, so we pick something more interesting
+	// towards the end.
+	fullEvent := mbtest.StandardizeEvent(f, events[len(events)-8], core.AddDatasetToEvent)
+	mbtest.WriteEventToDataJSON(t, fullEvent, "")
+}
+
+func getConfig() map[string]interface{} {
+	return map[string]interface{}{
+		"module":     "system",
+		"metricsets": []string{"process"},
+	}
+}
diff --git a/x-pack/auditbeat/module/system/socket/_meta/data.json b/x-pack/auditbeat/module/system/socket/_meta/data.json
new file mode 100644
index 000000000000..a373c3cf1796
--- /dev/null
+++ b/x-pack/auditbeat/module/system/socket/_meta/data.json
@@ -0,0 +1,38 @@
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "destination": {
+        "ip": "10.0.2.15",
+        "port": 22
+    },
+    "event": {
+        "action": "existing_socket",
+        "dataset": "socket",
+        "id": "6aff69f8-7267-4604-9701-d7b67a7c65bc",
+        "kind": "state",
+        "module": "system"
+    },
+    "message": "Inbound socket (10.0.2.2:55270 -\u003e 10.0.2.15:22) OPEN by process sshd (PID: 22799) and user root (UID: 0)",
+    "network": {
+        "direction": "inbound",
+        "type": "ipv4"
+    },
+    "process": {
+        "name": "sshd",
+        "pid": 22799
+    },
+    "service": {
+        "type": "system"
+    },
+    "source": {
+        "ip": "10.0.2.2",
+        "port": 55270
+    },
+    "user": {
+        "id": 0,
+        "name": "root"
+    }
+}
\ No newline at end of file
diff --git a/x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc
new file mode 100644
index 000000000000..61e98483311e
--- /dev/null
+++ b/x-pack/auditbeat/module/system/socket/_meta/docs.asciidoc
@@ -0,0 +1,7 @@
+[role="xpack"]
+
+experimental[]
+
+This is the `process` metricset of the system module.
+
+It is implemented for Linux only.
diff --git a/x-pack/auditbeat/module/system/socket/config.go b/x-pack/auditbeat/module/system/socket/config.go
new file mode 100644
index 000000000000..cdd170ff8b8c
--- /dev/null
+++ b/x-pack/auditbeat/module/system/socket/config.go
@@ -0,0 +1,31 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package socket
+
+import (
+	"time"
+)
+
+// Config defines the socket metricset's configuration options.
+type Config struct {
+	StatePeriod       time.Duration `config:"state.period"`
+	SocketStatePeriod time.Duration `config:"socket.state.period"`
+}
+
+// Validate validates the host metricset config.
+func (c *Config) Validate() error {
+	return nil
+}
+
+func (c *Config) effectiveStatePeriod() time.Duration {
+	if c.SocketStatePeriod != 0 {
+		return c.SocketStatePeriod
+	}
+	return c.StatePeriod
+}
+
+var defaultConfig = Config{
+	StatePeriod: 1 * time.Hour,
+}
diff --git a/x-pack/auditbeat/module/system/socket/socket.go b/x-pack/auditbeat/module/system/socket/socket.go
new file mode 100644
index 000000000000..b69148e45290
--- /dev/null
+++ b/x-pack/auditbeat/module/system/socket/socket.go
@@ -0,0 +1,414 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// +build linux
+
+package socket
+
+import (
+	"fmt"
+	"net"
+	"os/user"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/OneOfOne/xxhash"
+	"github.com/gofrs/uuid"
+	"github.com/pkg/errors"
+
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/common/cfgwarn"
+	"github.com/elastic/beats/libbeat/logp"
+	sock "github.com/elastic/beats/metricbeat/helper/socket"
+	"github.com/elastic/beats/metricbeat/mb"
+	"github.com/elastic/beats/x-pack/auditbeat/cache"
+	"github.com/elastic/gosigar/sys/linux"
+)
+
+const (
+	moduleName    = "system"
+	metricsetName = "socket"
+	namespace     = "system.audit.socket"
+
+	eventTypeState = "state"
+	eventTypeEvent = "event"
+)
+
+type eventAction uint8
+
+const (
+	eventActionExistingSocket eventAction = iota
+	eventActionSocketOpened
+	eventActionSocketClosed
+)
+
+func (action eventAction) String() string {
+	switch action {
+	case eventActionExistingSocket:
+		return "existing_socket"
+	case eventActionSocketOpened:
+		return "socket_opened"
+	case eventActionSocketClosed:
+		return "socket_closed"
+	default:
+		return ""
+	}
+}
+
+func init() {
+	mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
+		mb.DefaultMetricSet(),
+		mb.WithNamespace(namespace),
+	)
+}
+
+// MetricSet collects data about sockets.
+type MetricSet struct {
+	mb.BaseMetricSet
+	config Config
+	cache  *cache.Cache
+	log    *logp.Logger
+
+	netlink *sock.NetlinkSession
+	// TODO: Replace with process data collected in processes metricset
+	ptable    *sock.ProcTable
+	listeners *sock.ListenerTable
+
+	lastState time.Time
+}
+
+// Socket represents information about a socket.
+type Socket struct {
+	Family      linux.AddressFamily
+	LocalIP     net.IP
+	LocalPort   int
+	RemoteIP    net.IP
+	RemotePort  int
+	Inode       uint32
+	Direction   sock.Direction
+	UID         uint32
+	Username    string
+	ProcessPID  int
+	ProcessName string
+	Error       error
+}
+
+// newSocket creates a new socket out of a netlink diag message.
+func newSocket(diag *linux.InetDiagMsg) *Socket {
+	return &Socket{
+		Family:     linux.AddressFamily(diag.Family),
+		LocalIP:    diag.SrcIP(),
+		LocalPort:  diag.SrcPort(),
+		RemoteIP:   diag.DstIP(),
+		RemotePort: diag.DstPort(),
+		Inode:      diag.Inode,
+		UID:        diag.UID,
+		ProcessPID: -1,
+	}
+}
+
+// Hash creates a hash for Socket.
+func (s Socket) Hash() uint64 {
+	h := xxhash.New64()
+	h.WriteString(s.LocalIP.String())
+	h.WriteString(s.RemoteIP.String())
+	h.WriteString(strconv.Itoa(s.LocalPort))
+	h.WriteString(strconv.Itoa(s.RemotePort))
+	h.WriteString(strconv.FormatUint(uint64(s.Inode), 10))
+	return h.Sum64()
+}
+
+func (s Socket) toMapStr() common.MapStr {
+	mapstr := common.MapStr{
+		"network": common.MapStr{
+			"type":      s.Family.String(),
+			"direction": ecsDirectionString(s.Direction),
+		},
+		"user": common.MapStr{
+			"id": s.UID,
+		},
+	}
+
+	if s.Username != "" {
+		mapstr.Put("user.name", s.Username)
+	}
+
+	if s.ProcessName != "" {
+		mapstr.Put("process", common.MapStr{
+			"pid":  s.ProcessPID,
+			"name": s.ProcessName,
+		})
+	}
+
+	switch s.Direction {
+	case sock.Outgoing:
+		mapstr.Put("source", common.MapStr{
+			"ip":   s.LocalIP,
+			"port": s.LocalPort,
+		})
+		mapstr.Put("destination", common.MapStr{
+			"ip":   s.RemoteIP,
+			"port": s.RemotePort,
+		})
+	case sock.Incoming:
+		mapstr.Put("source", common.MapStr{
+			"ip":   s.RemoteIP,
+			"port": s.RemotePort,
+		})
+		mapstr.Put("destination", common.MapStr{
+			"ip":   s.LocalIP,
+			"port": s.LocalPort,
+		})
+	case sock.Listening:
+		mapstr.Put("destination", common.MapStr{
+			"ip":   s.LocalIP,
+			"port": s.LocalPort,
+		})
+	}
+
+	if s.Error != nil {
+		mapstr.Put("error.message", s.Error.Error())
+	}
+
+	return mapstr
+}
+
+// ecsDirectionString is a custom alternative to the existing String()
+// to be compatible with recommended ECS values for network.direction.
+func ecsDirectionString(direction sock.Direction) string {
+	switch direction {
+	case sock.Incoming:
+		return "inbound"
+	case sock.Outgoing:
+		return "outbound"
+	case sock.Listening:
+		return "listening"
+	default:
+		return "unknown"
+	}
+}
+
+// New constructs a new MetricSet.
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+	cfgwarn.Experimental("The %v/%v dataset is experimental", moduleName, metricsetName)
+
+	config := defaultConfig
+	if err := base.Module().UnpackConfig(&config); err != nil {
+		return nil, errors.Wrapf(err, "failed to unpack the %v/%v config", moduleName, metricsetName)
+	}
+
+	ptable, err := sock.NewProcTable("")
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create process table")
+	}
+
+	ms := &MetricSet{
+		BaseMetricSet: base,
+		config:        config,
+		log:           logp.NewLogger(metricsetName),
+		cache:         cache.New(),
+		netlink:       sock.NewNetlinkSession(),
+		ptable:        ptable,
+		listeners:     sock.NewListenerTable(),
+	}
+
+	return ms, nil
+}
+
+// Fetch collects the user information. It is invoked periodically.
+func (ms *MetricSet) Fetch(report mb.ReporterV2) {
+	needsStateUpdate := time.Since(ms.lastState) > ms.config.effectiveStatePeriod()
+	if needsStateUpdate || ms.cache.IsEmpty() {
+		ms.log.Debugf("State update needed (needsStateUpdate=%v, cache.IsEmpty()=%v)", needsStateUpdate, ms.cache.IsEmpty())
+		err := ms.reportState(report)
+		if err != nil {
+			ms.log.Error(err)
+			report.Error(err)
+		}
+		ms.log.Debugf("Next state update by %v", ms.lastState.Add(ms.config.effectiveStatePeriod()))
+	}
+
+	err := ms.reportChanges(report)
+	if err != nil {
+		ms.log.Error(err)
+		report.Error(err)
+	}
+}
+
+// reportState reports all existing sockets on the system.
+func (ms *MetricSet) reportState(report mb.ReporterV2) error {
+	ms.lastState = time.Now()
+
+	sockets, err := ms.getSockets()
+	if err != nil {
+		return errors.Wrap(err, "failed to get sockets")
+	}
+	ms.log.Debugf("Found %d sockets", len(sockets))
+
+	stateID, err := uuid.NewV4()
+	if err != nil {
+		return errors.Wrap(err, "error generating state ID")
+	}
+
+	// Refresh data for direction and process enrichment
+	ms.refreshEnrichments(sockets)
+
+	for _, socket := range sockets {
+		err = ms.enrichSocket(socket)
+		if err != nil {
+			return err
+		}
+
+		event := socketEvent(socket, eventTypeState, eventActionExistingSocket)
+		event.RootFields.Put("event.id", stateID.String())
+		report.Event(event)
+	}
+
+	// This will initialize the cache with the current sockets
+	ms.cache.DiffAndUpdateCache(convertToCacheable(sockets))
+
+	return nil
+}
+
+// reportChanges detects and reports any changes to sockets on this system since the last call.
+func (ms *MetricSet) reportChanges(report mb.ReporterV2) error {
+	sockets, err := ms.getSockets()
+	if err != nil {
+		return errors.Wrap(err, "failed to get sockets")
+	}
+
+	opened, closed := ms.cache.DiffAndUpdateCache(convertToCacheable(sockets))
+	ms.log.Debugf("Found %d sockets (%d opened, %d closed)", len(sockets), len(opened), len(closed))
+
+	if len(opened) > 0 {
+		// Refresh data for direction and process enrichment - only new sockets
+		// need enrichment
+		ms.refreshEnrichments(sockets)
+
+		for _, s := range opened {
+			err = ms.enrichSocket(s.(*Socket))
+			if err != nil {
+				return err
+			}
+
+			report.Event(socketEvent(s.(*Socket), eventTypeEvent, eventActionSocketOpened))
+		}
+	}
+
+	for _, s := range closed {
+		report.Event(socketEvent(s.(*Socket), eventTypeEvent, eventActionSocketClosed))
+	}
+
+	return nil
+}
+
+func socketEvent(socket *Socket, eventType string, action eventAction) mb.Event {
+	event := mb.Event{
+		RootFields: socket.toMapStr(),
+	}
+
+	event.RootFields.Put("event.kind", eventType)
+	event.RootFields.Put("event.action", action.String())
+	event.RootFields.Put("message", socketMessage(socket, action))
+
+	return event
+}
+
+func socketMessage(socket *Socket, action eventAction) string {
+	var actionString string
+	switch action {
+	case eventActionSocketOpened:
+		actionString = "OPENED"
+	case eventActionSocketClosed:
+		actionString = "CLOSED"
+	case eventActionExistingSocket:
+		actionString = "OPEN"
+	}
+
+	var endpointString string
+	switch socket.Direction {
+	case sock.Incoming:
+		endpointString = fmt.Sprintf("%v:%d -> %v:%d",
+			socket.RemoteIP, socket.RemotePort, socket.LocalIP, socket.LocalPort)
+	case sock.Outgoing:
+		endpointString = fmt.Sprintf("%v:%d -> %v:%d",
+			socket.LocalIP, socket.LocalPort, socket.RemoteIP, socket.RemotePort)
+	case sock.Listening:
+		endpointString = fmt.Sprintf("%v:%d", socket.LocalIP, socket.LocalPort)
+	}
+
+	return fmt.Sprintf("%v socket (%v) %v by process %v (PID: %d) and user %v (UID: %d)",
+		strings.Title(ecsDirectionString(socket.Direction)), endpointString, actionString,
+		socket.ProcessName, socket.ProcessPID, socket.Username, socket.UID)
+}
+
+func convertToCacheable(sockets []*Socket) []cache.Cacheable {
+	c := make([]cache.Cacheable, 0, len(sockets))
+
+	for _, s := range sockets {
+		c = append(c, s)
+	}
+
+	return c
+}
+
+func (ms *MetricSet) enrichSocket(socket *Socket) error {
+	userAccount, err := user.LookupId(strconv.FormatUint(uint64(socket.UID), 10))
+	if err != nil {
+		return errors.Wrapf(err, "error looking up socket UID")
+	}
+
+	socket.Username = userAccount.Username
+
+	socket.Direction = ms.listeners.Direction(uint8(syscall.IPPROTO_TCP),
+		socket.LocalIP, socket.LocalPort, socket.RemoteIP, socket.RemotePort)
+
+	if ms.ptable != nil {
+		proc := ms.ptable.ProcessBySocketInode(socket.Inode)
+		if proc != nil {
+			// Add process info by finding the process that holds the socket's inode.
+			socket.ProcessPID = proc.PID
+			socket.ProcessName = proc.Command
+		} else if socket.Inode == 0 {
+			socket.Error = fmt.Errorf("process has exited (inode=%v)", socket.Inode)
+		} else {
+			socket.Error = fmt.Errorf("process not found (inode=%v)", socket.Inode)
+		}
+	}
+
+	return nil
+}
+
+func (ms *MetricSet) getSockets() ([]*Socket, error) {
+	diags, err := ms.netlink.GetSocketList()
+	if err != nil {
+		return nil, errors.Wrap(err, "error getting sockets")
+	}
+
+	sockets := make([]*Socket, 0, len(diags))
+	for _, diag := range diags {
+		sockets = append(sockets, newSocket(diag))
+	}
+
+	return sockets, nil
+}
+
+func (ms *MetricSet) refreshEnrichments(sockets []*Socket) {
+	// Refresh inode to process mapping for process enrichment
+	err := ms.ptable.Refresh()
+	if err != nil {
+		// Errors here can happen, e.g. if a process exits while its /proc is being read.
+		ms.log.Warn(errors.Wrap(err, "error refreshing process data"))
+	}
+
+	// Register all listening sockets
+	ms.listeners.Reset()
+	for _, socket := range sockets {
+		if socket.RemotePort == 0 {
+			ms.listeners.Put(uint8(syscall.IPPROTO_TCP), socket.LocalIP, socket.LocalPort)
+		}
+	}
+}
diff --git a/x-pack/auditbeat/module/system/socket/socket_other.go b/x-pack/auditbeat/module/system/socket/socket_other.go
new file mode 100644
index 000000000000..2c8c92882e39
--- /dev/null
+++ b/x-pack/auditbeat/module/system/socket/socket_other.go
@@ -0,0 +1,29 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// +build !linux
+
+package socket
+
+import (
+	"fmt"
+
+	"github.com/elastic/beats/metricbeat/mb"
+)
+
+const (
+	moduleName    = "system"
+	metricsetName = "socket"
+)
+
+func init() {
+	mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
+		mb.DefaultMetricSet(),
+	)
+}
+
+// New returns an error.
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+	return nil, fmt.Errorf("the %v/%v dataset is only supported on Linux", moduleName, metricsetName)
+}
diff --git a/x-pack/auditbeat/module/system/socket/socket_test.go b/x-pack/auditbeat/module/system/socket/socket_test.go
new file mode 100644
index 000000000000..cc88fadbd921
--- /dev/null
+++ b/x-pack/auditbeat/module/system/socket/socket_test.go
@@ -0,0 +1,125 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// +build linux
+
+package socket
+
+import (
+	"net"
+	"os"
+	"strconv"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/elastic/beats/auditbeat/core"
+	"github.com/elastic/beats/metricbeat/mb"
+	mbtest "github.com/elastic/beats/metricbeat/mb/testing"
+)
+
+func TestData(t *testing.T) {
+	f := mbtest.NewReportingMetricSetV2(t, getConfig())
+	events, errs := mbtest.ReportingFetchV2(f)
+	if len(errs) > 0 {
+		t.Fatalf("received error: %+v", errs[0])
+	}
+	if len(events) == 0 {
+		t.Fatal("no events were generated")
+	}
+
+	// The first socket (events[0]) is usually something like rpcbind,
+	// the last one should be more interesting.
+	fullEvent := mbtest.StandardizeEvent(f, events[len(events)-1], core.AddDatasetToEvent)
+	mbtest.WriteEventToDataJSON(t, fullEvent, "")
+}
+
+func TestFetch(t *testing.T) {
+	// Consume first event: list of all currently open sockets
+	ms := mbtest.NewReportingMetricSetV2(t, getConfig())
+	events, errs := mbtest.ReportingFetchV2(ms)
+	if errs != nil {
+		t.Fatal("fetch", errs)
+	}
+	_, err := events[0].RootFields.HasKey("destination.port")
+	assert.NoError(t, err)
+
+	ln, err := net.Listen("tcp", ":0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer ln.Close()
+
+	addr := ln.Addr().String()
+	i := strings.LastIndex(addr, ":")
+	listenerPort, err := strconv.Atoi(addr[i+1:])
+	if err != nil {
+		t.Fatal("failed to get port from addr", addr)
+	}
+
+	// Consume second event: Socket we just opened
+	events, errs = mbtest.ReportingFetchV2(ms)
+	if errs != nil {
+		t.Fatal("fetch", errs)
+	}
+
+	var found bool
+	for _, evt := range events {
+		port, ok := getRequiredValue("destination.port", evt, t).(int)
+		if !ok {
+			t.Fatal("destination.port is not an int")
+		}
+		if port != listenerPort {
+			continue
+		}
+
+		pid, ok := getRequiredValue("process.pid", evt, t).(int)
+		if !ok {
+			t.Fatal("process.pid is not an int")
+		}
+		assert.Equal(t, os.Getpid(), pid)
+
+		processName, ok := getRequiredValue("process.name", evt, t).(string)
+		if !ok {
+			t.Fatal("process.name is not a string")
+		}
+		assert.Equal(t, "socket.test", processName)
+
+		uid, ok := getRequiredValue("user.id", evt, t).(uint32)
+		if !ok {
+			t.Fatal("user.uid is not a uint32")
+		}
+		assert.EqualValues(t, os.Geteuid(), uid)
+
+		dir, ok := getRequiredValue("network.direction", evt, t).(string)
+		if !ok {
+			t.Fatal("network.direction is not a string")
+		}
+		assert.Equal(t, "listening", dir)
+
+		found = true
+		break
+	}
+
+	assert.True(t, found, "listener not found")
+}
+
+func getRequiredValue(key string, mbEvent mb.Event, t testing.TB) interface{} {
+	v, err := mbEvent.RootFields.GetValue(key)
+	if err != nil {
+		t.Fatalf("err=%v, key=%v, event=%v", key, err, mbEvent)
+	}
+	if v == nil {
+		t.Fatalf("key %v not found in %v", key, mbEvent)
+	}
+	return v
+}
+
+func getConfig() map[string]interface{} {
+	return map[string]interface{}{
+		"module":     "system",
+		"metricsets": []string{"socket"},
+	}
+}
diff --git a/x-pack/auditbeat/module/system/user/_meta/data.json b/x-pack/auditbeat/module/system/user/_meta/data.json
new file mode 100644
index 000000000000..5958f7288369
--- /dev/null
+++ b/x-pack/auditbeat/module/system/user/_meta/data.json
@@ -0,0 +1,48 @@
+{
+    "@timestamp": "2017-10-12T08:05:34.853Z",
+    "agent": {
+        "hostname": "host.example.com",
+        "name": "host.example.com"
+    },
+    "event": {
+        "action": "existing_user",
+        "dataset": "user",
+        "id": "b0bbc4e2-9540-4aaf-b74e-ef9de506e852",
+        "kind": "state",
+        "module": "system"
+    },
+    "message": "Existing user elastic (UID: 1002, Groups: elastic,docker)",
+    "service": {
+        "type": "system"
+    },
+    "system": {
+        "audit": {
+            "user": {
+                "dir": "/home/elastic",
+                "gid": 1002,
+                "group": [
+                    {
+                        "gid": 1002,
+                        "name": "elastic"
+                    },
+                    {
+                        "gid": 999,
+                        "name": "docker"
+                    }
+                ],
+                "name": "elastic",
+                "password": {
+                    "last_changed": "2018-12-07T00:00:00Z",
+                    "type": "shadow_password"
+                },
+                "shell": "/usr/bin/zsh",
+                "uid": 1002,
+                "user_information": ",,,"
+            }
+        }
+    },
+    "user": {
+        "id": 1002,
+        "name": "elastic"
+    }
+}
\ No newline at end of file
diff --git a/x-pack/auditbeat/module/system/user/_meta/docs.asciidoc b/x-pack/auditbeat/module/system/user/_meta/docs.asciidoc
new file mode 100644
index 000000000000..dd5af6ead89f
--- /dev/null
+++ b/x-pack/auditbeat/module/system/user/_meta/docs.asciidoc
@@ -0,0 +1,7 @@
+[role="xpack"]
+
+experimental[]
+
+This is the `user` metricset of the system module.
+
+It is implemented for Linux only.
diff --git a/x-pack/auditbeat/module/system/user/_meta/fields.yml b/x-pack/auditbeat/module/system/user/_meta/fields.yml
new file mode 100644
index 000000000000..c66a20891337
--- /dev/null
+++ b/x-pack/auditbeat/module/system/user/_meta/fields.yml
@@ -0,0 +1,60 @@
+- name: user
+  type: group
+  description: >
+    `user` contains information about the users on a system.
+  release: experimental
+  fields:
+    - name: name
+      type: keyword
+      description: >
+          User name.
+    - name: uid
+      type: integer
+      description: >
+          User ID.
+    - name: gid
+      type: integer
+      description: >
+          Group ID.
+    - name: dir
+      type: keyword
+      description: >
+          User's home directory.
+    - name: shell
+      type: keyword
+      description: >
+          Program to run at login.
+    - name: user_information
+      type: text
+      description: >
+          General user information. On Linux, this is the gecos field.
+    - name: group
+      type: object
+      description: >
+        `group` contains information about any groups the user is part of (beyond the user's primary group).
+      fields:
+        - name: name
+          type: keyword
+          description: >
+              Group name.
+        - name: gid
+          type: integer
+          description: >
+              Group ID.
+    - name: password
+      type: group
+      description: >
+        `password` contains information about a user's password (not the password itself).
+      fields:
+        - name: type
+          type: keyword
+          description: >
+              A user's password type. Possible values are `shadow_password`
+              (the password hash is in the shadow file), `password_disabled`,
+              `no_password` (this is dangerous as anyone can log in), and
+              `crypt_password` (when the password field in /etc/passwd seems
+              to contain an encrypted password).
+        - name: last_changed
+          type: date
+          description: >
+              The day the user's password was last changed.
diff --git a/x-pack/auditbeat/module/system/user/config.go b/x-pack/auditbeat/module/system/user/config.go
new file mode 100644
index 000000000000..de6d438b257e
--- /dev/null
+++ b/x-pack/auditbeat/module/system/user/config.go
@@ -0,0 +1,30 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package user
+
+import (
+	"time"
+)
+
+// config defines the metricset's configuration options.
+type config struct {
+	StatePeriod           time.Duration `config:"state.period"`
+	UserStatePeriod       time.Duration `config:"user.state.period"`
+	DetectPasswordChanges bool          `config:"user.detect_password_changes"`
+}
+
+func (c *config) effectiveStatePeriod() time.Duration {
+	if c.UserStatePeriod != 0 {
+		return c.UserStatePeriod
+	}
+	return c.StatePeriod
+}
+
+func defaultConfig() config {
+	return config{
+		StatePeriod:           12 * time.Hour,
+		DetectPasswordChanges: false,
+	}
+}
diff --git a/x-pack/auditbeat/module/system/user/user.go b/x-pack/auditbeat/module/system/user/user.go
new file mode 100644
index 000000000000..5cc12d5f4b07
--- /dev/null
+++ b/x-pack/auditbeat/module/system/user/user.go
@@ -0,0 +1,534 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// +build linux,cgo
+
+package user
+
+import (
+	"bytes"
+	"encoding/binary"
+	"encoding/gob"
+	"fmt"
+	"io"
+	"runtime"
+	"strconv"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/OneOfOne/xxhash"
+	"github.com/gofrs/uuid"
+	"github.com/pkg/errors"
+
+	"github.com/elastic/beats/auditbeat/datastore"
+	"github.com/elastic/beats/libbeat/common"
+	"github.com/elastic/beats/libbeat/common/cfgwarn"
+	"github.com/elastic/beats/libbeat/logp"
+	"github.com/elastic/beats/metricbeat/mb"
+	"github.com/elastic/beats/x-pack/auditbeat/cache"
+)
+
+const (
+	moduleName    = "system"
+	metricsetName = "user"
+	namespace     = "system.audit.user"
+
+	passwdFile = "/etc/passwd"
+	groupFile  = "/etc/group"
+	shadowFile = "/etc/shadow"
+
+	bucketName              = "user.v1"
+	bucketKeyUsers          = "users"
+	bucketKeyStateTimestamp = "state_timestamp"
+
+	eventTypeState = "state"
+	eventTypeEvent = "event"
+)
+
+type eventAction uint8
+
+const (
+	eventActionExistingUser eventAction = iota
+	eventActionUserAdded
+	eventActionUserRemoved
+	eventActionUserChanged
+	eventActionPasswordChanged
+)
+
+func (action eventAction) String() string {
+	switch action {
+	case eventActionExistingUser:
+		return "existing_user"
+	case eventActionUserAdded:
+		return "user_added"
+	case eventActionUserRemoved:
+		return "user_removed"
+	case eventActionUserChanged:
+		return "user_changed"
+	case eventActionPasswordChanged:
+		return "password_changed"
+	default:
+		return ""
+	}
+}
+
+type passwordType uint8
+
+const (
+	detectionDisabled passwordType = iota
+	shadowPassword
+	passwordDisabled
+	noPassword
+	cryptPassword
+)
+
+func (t passwordType) String() string {
+	switch t {
+	case shadowPassword:
+		return "shadow_password"
+	case passwordDisabled:
+		return "password_disabled"
+	case noPassword:
+		return "no_password"
+	case cryptPassword:
+		return "crypt_password"
+	default:
+		return ""
+	}
+}
+
+// User represents a user. Fields according to getpwent(3).
+type User struct {
+	Name             string
+	PasswordType     passwordType
+	PasswordChanged  time.Time
+	PasswordHashHash []byte
+	UID              uint32
+	GID              uint32
+	Groups           []Group
+	UserInfo         string
+	Dir              string
+	Shell            string
+	Action           string
+}
+
+// Group contains information about a group.
+type Group struct {
+	Name string
+	GID  uint32
+}
+
+// Hash creates a hash for User.
+func (user User) Hash() uint64 {
+	h := xxhash.New64()
+	// Use everything except userInfo
+	h.WriteString(user.Name)
+	binary.Write(h, binary.BigEndian, uint8(user.PasswordType))
+	h.WriteString(user.PasswordChanged.String())
+	h.Write(user.PasswordHashHash)
+	h.WriteString(strconv.Itoa(int(user.UID)))
+	h.WriteString(strconv.Itoa(int(user.GID)))
+	h.WriteString(user.Dir)
+	h.WriteString(user.Shell)
+
+	for _, group := range user.Groups {
+		h.WriteString(group.Name)
+		h.WriteString(strconv.Itoa(int(group.GID)))
+	}
+
+	return h.Sum64()
+}
+
+func (user User) toMapStr() common.MapStr {
+	evt := common.MapStr{
+		"name":  user.Name,
+		"uid":   user.UID,
+		"gid":   user.GID,
+		"dir":   user.Dir,
+		"shell": user.Shell,
+	}
+
+	if user.UserInfo != "" {
+		evt.Put("user_information", user.UserInfo)
+	}
+
+	if user.PasswordType != detectionDisabled {
+		evt.Put("password.type", user.PasswordType.String())
+	}
+
+	if !user.PasswordChanged.IsZero() {
+		evt.Put("password.last_changed", user.PasswordChanged)
+	}
+
+	if len(user.Groups) > 0 {
+		var groupMapStr []common.MapStr
+		for _, group := range user.Groups {
+			groupMapStr = append(groupMapStr, common.MapStr{
+				"name": group.Name,
+				"gid":  group.GID,
+			})
+		}
+		evt.Put("group", groupMapStr)
+	}
+
+	return evt
+}
+
+func init() {
+	mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
+		mb.DefaultMetricSet(),
+		mb.WithNamespace(namespace),
+	)
+}
+
+// MetricSet collects data about a system's users.
+type MetricSet struct {
+	mb.BaseMetricSet
+	config    config
+	log       *logp.Logger
+	cache     *cache.Cache
+	bucket    datastore.Bucket
+	lastState time.Time
+	userFiles []string
+	lastRead  time.Time
+}
+
+// New constructs a new MetricSet.
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+	cfgwarn.Experimental("The %v/%v dataset is experimental", moduleName, metricsetName)
+	if runtime.GOOS != "linux" {
+		return nil, fmt.Errorf("the %v/%v dataset is only supported on Linux", moduleName, metricsetName)
+	}
+
+	config := defaultConfig()
+	if err := base.Module().UnpackConfig(&config); err != nil {
+		return nil, errors.Wrapf(err, "failed to unpack the %v/%v config", moduleName, metricsetName)
+	}
+
+	bucket, err := datastore.OpenBucket(bucketName)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to open persistent datastore")
+	}
+
+	ms := &MetricSet{
+		BaseMetricSet: base,
+		config:        config,
+		log:           logp.NewLogger(metricsetName),
+		cache:         cache.New(),
+		bucket:        bucket,
+	}
+
+	if ms.config.DetectPasswordChanges {
+		ms.userFiles = []string{passwdFile, groupFile, shadowFile}
+	} else {
+		ms.userFiles = []string{passwdFile, groupFile}
+	}
+
+	// Load from disk: Time when state was last sent
+	err = bucket.Load(bucketKeyStateTimestamp, func(blob []byte) error {
+		if len(blob) > 0 {
+			return ms.lastState.UnmarshalBinary(blob)
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	if !ms.lastState.IsZero() {
+		ms.log.Debugf("Last state was sent at %v. Next state update by %v.", ms.lastState, ms.lastState.Add(ms.config.effectiveStatePeriod()))
+	} else {
+		ms.log.Debug("No state timestamp found")
+	}
+
+	// Load from disk: Users
+	users, err := ms.restoreUsersFromDisk()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to restore users from disk")
+	}
+	ms.log.Debugf("Restored %d users from disk", len(users))
+
+	ms.cache.DiffAndUpdateCache(convertToCacheable(users))
+
+	return ms, nil
+}
+
+// Close cleans up the MetricSet when it finishes.
+func (ms *MetricSet) Close() error {
+	if ms.bucket != nil {
+		return ms.bucket.Close()
+	}
+	return nil
+}
+
+// Fetch collects the user information. It is invoked periodically.
+func (ms *MetricSet) Fetch(report mb.ReporterV2) {
+	needsStateUpdate := time.Since(ms.lastState) > ms.config.effectiveStatePeriod()
+	if needsStateUpdate || ms.cache.IsEmpty() {
+		ms.log.Debugf("State update needed (needsStateUpdate=%v, cache.IsEmpty()=%v)", needsStateUpdate, ms.cache.IsEmpty())
+		err := ms.reportState(report)
+		if err != nil {
+			ms.log.Error(err)
+			report.Error(err)
+		}
+		ms.log.Debugf("Next state update by %v", ms.lastState.Add(ms.config.effectiveStatePeriod()))
+	}
+
+	err := ms.reportChanges(report)
+	if err != nil {
+		ms.log.Error(err)
+		report.Error(err)
+	}
+}
+
+// reportState reports all existing users on the system.
+func (ms *MetricSet) reportState(report mb.ReporterV2) error {
+	ms.lastState = time.Now()
+
+	users, err := GetUsers(ms.config.DetectPasswordChanges)
+	if err != nil {
+		return errors.Wrap(err, "failed to get users")
+	}
+	ms.log.Debugf("Found %v users", len(users))
+
+	stateID, err := uuid.NewV4()
+	if err != nil {
+		return errors.Wrap(err, "error generating state ID")
+	}
+	for _, user := range users {
+		event := userEvent(user, eventTypeState, eventActionExistingUser)
+		event.RootFields.Put("event.id", stateID.String())
+		report.Event(event)
+	}
+
+	if ms.cache != nil {
+		// This will initialize the cache with the current processes
+		ms.cache.DiffAndUpdateCache(convertToCacheable(users))
+	}
+
+	// Save time so we know when to send the state again (config.StatePeriod)
+	timeBytes, err := ms.lastState.MarshalBinary()
+	if err != nil {
+		return err
+	}
+	err = ms.bucket.Store(bucketKeyStateTimestamp, timeBytes)
+	if err != nil {
+		return errors.Wrap(err, "error writing state timestamp to disk")
+	}
+
+	return ms.saveUsersToDisk(users)
+}
+
+// reportChanges detects and reports any changes to users on this system since the last call.
+func (ms *MetricSet) reportChanges(report mb.ReporterV2) error {
+	currentTime := time.Now()
+
+	// If this is not the first call to Fetch/reportChanges,
+	// check if files have changed since the last time before going any further.
+	if !ms.lastRead.IsZero() {
+		changed, err := ms.haveFilesChanged()
+		if err != nil {
+			return err
+		}
+		if !changed {
+			return nil
+		}
+	}
+	ms.lastRead = currentTime
+
+	users, err := GetUsers(ms.config.DetectPasswordChanges)
+	if err != nil {
+		return errors.Wrap(err, "failed to get users")
+	}
+	ms.log.Debugf("Found %v users", len(users))
+
+	newInCache, missingFromCache := ms.cache.DiffAndUpdateCache(convertToCacheable(users))
+
+	if len(newInCache) > 0 && len(missingFromCache) > 0 {
+		// Check for changes to users
+		missingUserMap := make(map[uint32](*User))
+		for _, missingUser := range missingFromCache {
+			missingUserMap[missingUser.(*User).UID] = missingUser.(*User)
+		}
+
+		for _, userFromCache := range newInCache {
+			newUser := userFromCache.(*User)
+			oldUser, found := missingUserMap[newUser.UID]
+
+			if found {
+				// Report password change separately
+				if ms.config.DetectPasswordChanges && newUser.PasswordType != detectionDisabled &&
+					oldUser.PasswordType != detectionDisabled {
+
+					passwordChanged := newUser.PasswordChanged.Before(oldUser.PasswordChanged) ||
+						!bytes.Equal(newUser.PasswordHashHash, oldUser.PasswordHashHash) ||
+						newUser.PasswordType != oldUser.PasswordType
+
+					if passwordChanged {
+						report.Event(userEvent(newUser, eventTypeEvent, eventActionPasswordChanged))
+					}
+				}
+
+				// Hack to check if only the password changed
+				oldUser.PasswordChanged = newUser.PasswordChanged
+				oldUser.PasswordHashHash = newUser.PasswordHashHash
+				oldUser.PasswordType = newUser.PasswordType
+				if newUser.Hash() != oldUser.Hash() {
+					report.Event(userEvent(newUser, eventTypeEvent, eventActionUserChanged))
+				}
+
+				delete(missingUserMap, oldUser.UID)
+			} else {
+				report.Event(userEvent(newUser, eventTypeEvent, eventActionUserAdded))
+			}
+		}
+
+		for _, missingUser := range missingUserMap {
+			report.Event(userEvent(missingUser, eventTypeEvent, eventActionUserRemoved))
+		}
+	} else {
+		// No changes to users
+		for _, user := range newInCache {
+			report.Event(userEvent(user.(*User), eventTypeEvent, eventActionUserAdded))
+		}
+
+		for _, user := range missingFromCache {
+			report.Event(userEvent(user.(*User), eventTypeEvent, eventActionUserRemoved))
+		}
+	}
+
+	if len(newInCache) > 0 || len(missingFromCache) > 0 {
+		return ms.saveUsersToDisk(users)
+	}
+
+	return nil
+}
+
+func userEvent(user *User, eventType string, action eventAction) mb.Event {
+	return mb.Event{
+		RootFields: common.MapStr{
+			"event": common.MapStr{
+				"kind":   eventType,
+				"action": action.String(),
+			},
+			"user": common.MapStr{
+				"id":   user.UID,
+				"name": user.Name,
+			},
+			"message": userMessage(user, action),
+		},
+		MetricSetFields: user.toMapStr(),
+	}
+}
+
+func userMessage(user *User, action eventAction) string {
+	var actionString string
+	switch action {
+	case eventActionExistingUser:
+		actionString = "Existing"
+	case eventActionUserAdded:
+		actionString = "New"
+	case eventActionUserRemoved:
+		actionString = "Removed"
+	case eventActionUserChanged:
+		actionString = "Changed"
+	case eventActionPasswordChanged:
+		actionString = "Password changed for"
+	}
+
+	return fmt.Sprintf("%v user %v (UID: %v, Groups: %v)",
+		actionString, user.Name, user.UID, fmtGroups(user.Groups))
+}
+
+func fmtGroups(groups []Group) string {
+	var b strings.Builder
+
+	b.WriteString(groups[0].Name)
+	for _, group := range groups[1:] {
+		b.WriteString(",")
+		b.WriteString(group.Name)
+	}
+
+	return b.String()
+}
+
+func convertToCacheable(users []*User) []cache.Cacheable {
+	c := make([]cache.Cacheable, 0, len(users))
+
+	for _, u := range users {
+		c = append(c, u)
+	}
+
+	return c
+}
+
+// restoreUsersFromDisk loads the user cache from disk.
+func (ms *MetricSet) restoreUsersFromDisk() (users []*User, err error) {
+	var decoder *gob.Decoder
+	err = ms.bucket.Load(bucketKeyUsers, func(blob []byte) error {
+		if len(blob) > 0 {
+			buf := bytes.NewBuffer(blob)
+			decoder = gob.NewDecoder(buf)
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if decoder != nil {
+		for {
+			user := new(User)
+			err = decoder.Decode(user)
+			if err == nil {
+				users = append(users, user)
+			} else if err == io.EOF {
+				// Read all users
+				break
+			} else {
+				return nil, errors.Wrap(err, "error decoding users")
+			}
+		}
+	}
+
+	return users, nil
+}
+
+// Save user cache to disk.
+func (ms *MetricSet) saveUsersToDisk(users []*User) error {
+	var buf bytes.Buffer
+	encoder := gob.NewEncoder(&buf)
+
+	for _, user := range users {
+		err := encoder.Encode(*user)
+		if err != nil {
+			return errors.Wrap(err, "error encoding users")
+		}
+	}
+
+	err := ms.bucket.Store(bucketKeyUsers, buf.Bytes())
+	if err != nil {
+		return errors.Wrap(err, "error writing users to disk")
+	}
+	return nil
+}
+
+// haveFilesChanged checks if the ctime of any of the user files has changed.
+func (ms *MetricSet) haveFilesChanged() (bool, error) {
+	var stats syscall.Stat_t
+	for _, path := range ms.userFiles {
+		if err := syscall.Stat(path, &stats); err != nil {
+			return true, errors.Wrapf(err, "failed to stat %v", path)
+		}
+
+		ctime := time.Unix(stats.Ctim.Sec, stats.Ctim.Nsec)
+		if ms.lastRead.Before(ctime) {
+			ms.log.Debugf("File changed: %v (lastRead=%v, ctime=%v)", path, ms.lastRead, ctime)
+
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
diff --git a/x-pack/auditbeat/module/system/user/user_test.go b/x-pack/auditbeat/module/system/user/user_test.go
new file mode 100644
index 000000000000..f02f6bc3d8f2
--- /dev/null
+++ b/x-pack/auditbeat/module/system/user/user_test.go
@@ -0,0 +1,38 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// +build linux,cgo
+
+package user
+
+import (
+	"testing"
+
+	"github.com/elastic/beats/auditbeat/core"
+	mbtest "github.com/elastic/beats/metricbeat/mb/testing"
+)
+
+func TestData(t *testing.T) {
+	f := mbtest.NewReportingMetricSetV2(t, getConfig())
+	events, errs := mbtest.ReportingFetchV2(f)
+	if len(errs) > 0 {
+		t.Fatalf("received error: %+v", errs[0])
+	}
+
+	if len(events) == 0 {
+		t.Fatal("no events were generated")
+	}
+
+	// The first user (events[0]) is usually root, the last one should be more interesting.
+	fullEvent := mbtest.StandardizeEvent(f, events[len(events)-1], core.AddDatasetToEvent)
+	mbtest.WriteEventToDataJSON(t, fullEvent, "")
+}
+
+func getConfig() map[string]interface{} {
+	return map[string]interface{}{
+		"module":                       "system",
+		"metricsets":                   []string{"user"},
+		"user.detect_password_changes": true,
+	}
+}
diff --git a/x-pack/auditbeat/module/system/user/users_linux.go b/x-pack/auditbeat/module/system/user/users_linux.go
new file mode 100644
index 000000000000..a65bbaa17a2b
--- /dev/null
+++ b/x-pack/auditbeat/module/system/user/users_linux.go
@@ -0,0 +1,225 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// +build linux,cgo
+
+package user
+
+// #include <sys/types.h>
+// #include <pwd.h>
+// #include <grp.h>
+// #include <shadow.h>
+import "C"
+
+import (
+	"crypto/sha512"
+	"strings"
+	"time"
+	"unsafe"
+
+	"github.com/pkg/errors"
+)
+
+var (
+	epoch = time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC)
+)
+
+// GetUsers retrieves a list of users using information from
+// /etc/passwd, /etc/group, and - if configured - /etc/shadow.
+func GetUsers(readPasswords bool) ([]*User, error) {
+	users, err := readPasswdFile(readPasswords)
+	if err != nil {
+		return nil, err
+	}
+
+	err = enrichWithGroups(users)
+	if err != nil {
+		return nil, err
+	}
+
+	if readPasswords {
+		err = enrichWithShadow(users)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return users, nil
+}
+
+func readPasswdFile(readPasswords bool) ([]*User, error) {
+	var users []*User
+
+	C.setpwent()
+	defer C.endpwent()
+
+	for passwd, err := C.getpwent(); passwd != nil; passwd, err = C.getpwent() {
+		if err != nil {
+			return nil, errors.Wrap(err, "error getting user")
+		}
+
+		// passwd is C.struct_passwd
+		user := &User{
+			Name:     C.GoString(passwd.pw_name),
+			UID:      uint32(passwd.pw_uid),
+			GID:      uint32(passwd.pw_gid),
+			UserInfo: C.GoString(passwd.pw_gecos),
+			Dir:      C.GoString(passwd.pw_dir),
+			Shell:    C.GoString(passwd.pw_shell),
+		}
+
+		if readPasswords {
+			switch C.GoString(passwd.pw_passwd) {
+			case "x":
+				user.PasswordType = shadowPassword
+			case "*":
+				user.PasswordType = passwordDisabled
+			case "":
+				user.PasswordType = noPassword
+			default:
+				user.PasswordType = cryptPassword
+				user.PasswordHashHash = multiRoundHash(C.GoString(passwd.pw_passwd))
+			}
+		} else {
+			user.PasswordType = detectionDisabled
+		}
+
+		users = append(users, user)
+	}
+
+	return users, nil
+}
+
+func enrichWithGroups(users []*User) error {
+	gidToGroup, userToGroup, err := readGroupFile()
+	if err != nil {
+		return err
+	}
+
+	for _, user := range users {
+		primaryGroup, found := gidToGroup[user.GID]
+		if found {
+			user.Groups = append(user.Groups, primaryGroup)
+		}
+
+		secondaryGroups, found := userToGroup[user.Name]
+		if found {
+			user.Groups = append(user.Groups, secondaryGroups...)
+		}
+	}
+
+	return nil
+}
+
+func enrichWithShadow(users []*User) error {
+	shadowEntries, err := readShadowFile()
+	if err != nil {
+		return err
+	}
+
+	for _, user := range users {
+		if user.PasswordType == shadowPassword {
+			shadow, found := shadowEntries[user.Name]
+			if found {
+				user.PasswordChanged = shadow.LastChanged
+
+				if shadow.Password == "" {
+					user.PasswordType = noPassword
+				} else if strings.HasPrefix(shadow.Password, "!") || strings.HasPrefix(shadow.Password, "*") {
+					user.PasswordType = passwordDisabled
+				} else {
+					user.PasswordHashHash = multiRoundHash(shadow.Password)
+				}
+			}
+		}
+	}
+
+	return nil
+}
+
+// readGroupFile reads /etc/group and returns two maps:
+// The first maps group IDs to groups.
+// The second maps group members (user names) to groups.
+// See getgrent(3) for details of the structs.
+func readGroupFile() (map[uint32]Group, map[string][]Group, error) {
+	C.setgrent()
+	defer C.endgrent()
+
+	groupIDMap := make(map[uint32]Group)
+	groupMemberMap := make(map[string][]Group)
+	for cgroup, err := C.getgrent(); cgroup != nil; cgroup, err = C.getgrent() {
+		if err != nil {
+			return nil, nil, errors.Wrap(err, "error while reading group file")
+		}
+
+		groupName := C.GoString(cgroup.gr_name)
+		gid := uint32(cgroup.gr_gid)
+
+		group := Group{
+			Name: groupName,
+			GID:  gid,
+		}
+
+		groupIDMap[gid] = group
+
+		/*
+			group.gr_mem is a NULL-terminated array of pointers to user names (char **)
+			which makes some pointer arithmetic necessary to read it.
+		*/
+		for i := 0; ; i++ {
+			offset := (unsafe.Sizeof(unsafe.Pointer(*cgroup.gr_mem)) * uintptr(i))
+			member := *(**C.char)(unsafe.Pointer(uintptr(unsafe.Pointer(cgroup.gr_mem)) + offset))
+
+			if member == nil {
+				break
+			}
+
+			groupMember := C.GoString(member)
+			groupMemberMap[groupMember] = append(groupMemberMap[groupMember], group)
+		}
+	}
+
+	return groupIDMap, groupMemberMap, nil
+}
+
+// shadowFileEntry represents an entry in /etc/shadow. See getspnam(3) for details.
+type shadowFileEntry struct {
+	LastChanged time.Time
+	Password    string
+}
+
+// readShadowFile reads /etc/shadow and returns a map of the entries keyed to user's names.
+func readShadowFile() (map[string]shadowFileEntry, error) {
+	C.setspent()
+	defer C.endspent()
+
+	shadowEntries := make(map[string]shadowFileEntry)
+	for spwd, err := C.getspent(); spwd != nil; spwd, err = C.getspent() {
+		if err != nil {
+			return nil, errors.Wrap(err, "error while reading shadow file")
+		}
+
+		shadow := shadowFileEntry{
+			// sp_lstchg is in days since Jan 1, 1970.
+			LastChanged: epoch.AddDate(0, 0, int(spwd.sp_lstchg)),
+
+			// The password hash is never output to Elasticsearch or any other output,
+			// but a hash of the hash is persisted to disk in the beat.db file.
+			Password: C.GoString(spwd.sp_pwdp),
+		}
+
+		shadowEntries[C.GoString(spwd.sp_namp)] = shadow
+	}
+
+	return shadowEntries, nil
+}
+
+// multiRoundHash performs 10 rounds of SHA-512 hashing.
+func multiRoundHash(s string) []byte {
+	hash := sha512.Sum512([]byte(s))
+	for i := 0; i < 9; i++ {
+		hash = sha512.Sum512(hash[:])
+	}
+	return hash[:]
+}
diff --git a/x-pack/auditbeat/module/system/user/users_other.go b/x-pack/auditbeat/module/system/user/users_other.go
new file mode 100644
index 000000000000..da9351dc9712
--- /dev/null
+++ b/x-pack/auditbeat/module/system/user/users_other.go
@@ -0,0 +1,29 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// +build !linux !cgo
+
+package user
+
+import (
+	"fmt"
+
+	"github.com/elastic/beats/metricbeat/mb"
+)
+
+const (
+	moduleName    = "system"
+	metricsetName = "user"
+)
+
+func init() {
+	mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
+		mb.DefaultMetricSet(),
+	)
+}
+
+// New returns an error.
+func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
+	return nil, fmt.Errorf("the %v/%v dataset is only supported on Linux", moduleName, metricsetName)
+}
diff --git a/x-pack/auditbeat/tests/system/auditbeat_xpack.py b/x-pack/auditbeat/tests/system/auditbeat_xpack.py
new file mode 100644
index 000000000000..ede9115b67ac
--- /dev/null
+++ b/x-pack/auditbeat/tests/system/auditbeat_xpack.py
@@ -0,0 +1,55 @@
+import jinja2
+import os
+
+from auditbeat import BaseTest as AuditbeatTest
+
+
+class AuditbeatXPackTest(AuditbeatTest):
+
+    @classmethod
+    def setUpClass(self):
+        self.beat_name = "auditbeat"
+        self.beat_path = os.path.abspath(
+            os.path.join(os.path.dirname(__file__), "../../"))
+
+        super(AuditbeatTest, self).setUpClass()
+
+    def setUp(self):
+        super(AuditbeatTest, self).setUp()
+
+        # Hack to make jinja2 have the right paths
+        self.template_env = jinja2.Environment(
+            loader=jinja2.FileSystemLoader([
+                os.path.abspath(os.path.join(self.beat_path, "../../auditbeat")),
+                os.path.abspath(os.path.join(self.beat_path, "../../libbeat"))
+            ])
+        )
+
+    # Adapted from metricbeat.py
+    def check_metricset(self, module, metricset, fields=[], warnings_allowed=False):
+        """
+        Method to test a metricset for its fields
+        """
+        self.render_config_template(modules=[{
+            "name": module,
+            "metricsets": [metricset],
+            "period": "10s",
+        }])
+        proc = self.start_beat()
+        self.wait_until(lambda: self.output_lines() > 0)
+        proc.check_kill_and_wait()
+
+        if not warnings_allowed:
+            self.assert_no_logged_warnings()
+
+        output = self.read_output_json()
+        self.assertTrue(len(output) >= 1)
+        evt = output[0]
+        print(evt)
+
+        flattened = self.flatten_object(evt, {})
+        for f in fields:
+            if not f in flattened:
+                raise Exception("Field '{}' not found in event.".format(f))
+
+        self.assert_fields_are_documented(evt)
diff --git a/x-pack/auditbeat/tests/system/test_metricsets.py b/x-pack/auditbeat/tests/system/test_metricsets.py
new file mode 100644
index 000000000000..0252d036db9d
--- /dev/null
+++ b/x-pack/auditbeat/tests/system/test_metricsets.py
@@ -0,0 +1,92 @@
+import jinja2
+import os
+import sys
+import time
+import unittest
+
+sys.path.append(os.path.join(os.path.dirname(__file__), '../../../../auditbeat/tests/system'))
+
+from auditbeat_xpack import *
+
+COMMON_FIELDS = ["@timestamp", "host.name", "event.module", "event.dataset"]
+
+
+class Test(AuditbeatXPackTest):
+
+    def test_metricset_host(self):
+        """
+        host metricset collects general information about a server.
+        """
+
+        fields = ["system.audit.host.uptime", "system.audit.host.ip", "system.audit.host.os.name"]
+
+        # Metricset is experimental and that generates a warning, TODO: remove later
+        # TODO: Remove try/catch once new fields are in fields.ecs.yml
+        # https://github.com/elastic/beats/issues/9318
+        try:
+            self.check_metricset("system", "host", COMMON_FIELDS + fields, warnings_allowed=True)
+        except Exception as e:
+            if "event.kind" not in str(e):
+                raise
+
+    @unittest.skip("Packages metricset is disabled")
+    def test_metricset_packages(self):
+        """
+        packages metricset collects information about installed packages on a system.
+        """
+
+        fields = ["system.audit.packages.package"]
+
+        # Metricset is experimental and that generates a warning, TODO: remove later
+        self.check_metricset("system", "packages", COMMON_FIELDS + fields, warnings_allowed=True)
+
+    @unittest.skipIf(sys.platform == "darwin" and os.geteuid != 0, "Requires root on macOS")
+    def test_metricset_process(self):
+        """
+        process metricset collects information about processes running on a system.
+        """
+
+        fields = ["process.pid"]
+
+        # Metricset is experimental and that generates a warning, TODO: remove later
+        # TODO: Remove try/catch once new fields are in fields.ecs.yml
+        # https://github.com/elastic/beats/issues/9318
+        try:
+            self.check_metricset("system", "process", COMMON_FIELDS + fields, warnings_allowed=True)
+        except Exception as e:
+            if "process.working_directory" not in str(e) and "process.start" not in str(e) and "event.kind" not in str(e):
+                raise
+
+    @unittest.skipUnless(sys.platform == "linux2", "Only implemented for Linux")
+    def test_metricset_socket(self):
+        """
+        socket metricset collects information about open sockets on a system.
+        """
+
+        fields = ["destination.port"]
+
+        # Metricset is experimental and that generates a warning, TODO: remove later
+        # TODO: Remove try/catch once new fields are in fields.ecs.yml
+        # https://github.com/elastic/beats/issues/9318
+        try:
+            self.check_metricset("system", "socket", COMMON_FIELDS + fields, warnings_allowed=True)
+        except Exception as e:
+            if "network.type" not in str(e) and "event.kind" not in str(e):
+                raise
+
+    @unittest.skipUnless(sys.platform == "linux2", "Only implemented for Linux")
+    def test_metricset_user(self):
+        """
+        user metricset collects information about users on a server.
+        """
+
+        fields = ["system.audit.user.name"]
+
+        # Metricset is experimental and that generates a warning, TODO: remove later
+        # TODO: Remove try/catch once new fields are in fields.ecs.yml
+        # https://github.com/elastic/beats/issues/9318
+        try:
+            self.check_metricset("system", "user", COMMON_FIELDS + fields, warnings_allowed=True)
+        except Exception as e:
+            if "event.kind" not in str(e):
+                raise
diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go
index e35ddca220c1..1977743af270 100644
--- a/x-pack/filebeat/include/list.go
+++ b/x-pack/filebeat/include/list.go
@@ -7,6 +7,6 @@
 package include
 
 import (
-	// Import modules.
+	// Import packages that need to register themselves.
 	_ "github.com/elastic/beats/x-pack/filebeat/module/suricata"
 )
diff --git a/x-pack/filebeat/magefile.go b/x-pack/filebeat/magefile.go
index cd32f0ecf2d3..c8410fe4eb4c 100644
--- a/x-pack/filebeat/magefile.go
+++ b/x-pack/filebeat/magefile.go
@@ -20,7 +20,7 @@ import (
 
 func init() {
 	mage.BeatDescription = "Filebeat sends log files to Logstash or directly to Elasticsearch."
-	mage.BeatLicense = "Elastic"
+	mage.BeatLicense = "Elastic License"
 }
 
 // Build builds the Beat binary.
diff --git a/x-pack/functionbeat/magefile.go b/x-pack/functionbeat/magefile.go
index 26c4038760f3..12a9597bf28a 100644
--- a/x-pack/functionbeat/magefile.go
+++ b/x-pack/functionbeat/magefile.go
@@ -19,7 +19,7 @@ import (
 
 func init() {
 	mage.BeatDescription = "Functionbeat is a beat implementation for a serverless architecture."
-	mage.BeatLicense = "Elastic"
+	mage.BeatLicense = "Elastic License"
 }
 
 // Build builds the Beat binary.
diff --git a/x-pack/metricbeat/include/list.go b/x-pack/metricbeat/include/list.go
index 601cf3a12201..d1207d68cd97 100644
--- a/x-pack/metricbeat/include/list.go
+++ b/x-pack/metricbeat/include/list.go
@@ -7,7 +7,7 @@
 package include
 
 import (
-	// Import modules.
+	// Import packages that need to register themselves.
 	_ "github.com/elastic/beats/x-pack/metricbeat/module/foo"
 	_ "github.com/elastic/beats/x-pack/metricbeat/module/foo/bar"
 )
diff --git a/x-pack/metricbeat/magefile.go b/x-pack/metricbeat/magefile.go
index 6d54031a64a8..ec32803d643a 100644
--- a/x-pack/metricbeat/magefile.go
+++ b/x-pack/metricbeat/magefile.go
@@ -22,7 +22,7 @@ import (
 
 func init() {
 	mage.BeatDescription = "Metricbeat is a lightweight shipper for metrics."
-	mage.BeatLicense = "Elastic"
+	mage.BeatLicense = "Elastic License"
 }
 
 // Build builds the Beat binary.