diff --git a/vars/Ubuntu.yml b/vars/Ubuntu.yml
new file mode 100644
index 0000000..f1fe792
--- /dev/null
+++ b/vars/Ubuntu.yml
@@ -0,0 +1,22 @@
+---
+# Because use https://www.samdarwin.com/ansible-default-vars/
+# any variable with:
+#   default_auditd_
+# acts as per distro defaut variable
+
+# This configuration tries to follow Ubuntu upstream default configuration as
+# far as possible. Some values are inherited from Debian.
+
+# Defaults
+default_auditd_backlog_wait_time: 0
+
+default_auditd_log_format: RAW
+default_auditd_disp_qos: lossy
+default_auditd_dispatcher: /sbin/audispd
+default_auditd_transport: null
+default_auditd_q_depth: null
+default_auditd_overflow_action: null
+default_auditd_max_restarts: null
+default_auditd_plugin_dir: null
+default_auditd_end_of_event_timeout: null
+default_auditd_enable_krb5: false
diff --git a/vars/Ubuntu_18.yml b/vars/Ubuntu_18.yml
new file mode 120000
index 0000000..2749033
--- /dev/null
+++ b/vars/Ubuntu_18.yml
@@ -0,0 +1 @@
+Ubuntu_20.yml
\ No newline at end of file
diff --git a/vars/Ubuntu_20.yml b/vars/Ubuntu_20.yml
new file mode 100644
index 0000000..f3d9a51
--- /dev/null
+++ b/vars/Ubuntu_20.yml
@@ -0,0 +1,24 @@
+---
+# Ubuntu 18-20: these are not compiled in
+auditd_config_deprecated_settings:
+  - auditd_end_of_event_timeout
+  - auditd_max_restarts
+  - auditd_overflow_action
+  - auditd_plugin_dir
+  - auditd_q_depth
+  - auditd_tcp_client_max_idle_parser
+  - auditd_tcp_listen_port_parser
+  - auditd_tcp_listen_queue_parser
+  - auditd_tcp_max_per_addr_parser
+  - auditd_transport
+
+auditd_end_of_event_timeout: null
+auditd_plugin_dir: null
+auditd_max_restarts: null
+auditd_overflow_action: null
+auditd_q_depth: null
+auditd_tcp_client_max_idle_parser: null
+auditd_tcp_listen_port_parser: null
+auditd_tcp_listen_queue_parser: null
+auditd_tcp_max_per_addr_parser: null
+auditd_transport: null