nandha_88
(nandha)
February 12, 2019, 7:54am
1
Hi All,
Please provide us a better solution.
Our setup is below and right now we need to monitor user activities in the linux server.
Filebeat -> logstash -> eS -> kibana
Please share whether we can use the same filebeat model to gather the logs or we can install & use the audit beat to gather the user log.
Regards
Nandha
warkolm
(Mark Walkom)
February 12, 2019, 7:56am
2
If you want low level info then use auditbeat, otherwise use filebeat to collect the system logs.
nandha_88
(nandha)
February 12, 2019, 8:08am
3
Hi Warkolm,
Thanks. I will use the filebeat modules and try to gather the logs.
But how to index the log values based on the input.
I need the same kind of output as in the auditbeat
Esp I need timestamp , process or command executed and user run the command
Regards
Nandha
warkolm
(Mark Walkom)
February 12, 2019, 8:19am
4
That will depend on what the logs contain.
nandha_88
(nandha)
February 18, 2019, 5:17pm
5
Hi Warolm,
I have installed ELK in the fresh server as the below setup
ELK installed in one server
filebeat installed in the client machine with systemd and auditd module enabled
I have give the logstash IP in the filebeabt.yml to forward the log.
Please share the step to load the index which will give the system and auditd columns
Badger
February 18, 2019, 6:20pm
6
What do the logfile entries look like?
nandha_88
(nandha)
February 20, 2019, 7:38pm
7
Hi Badger,
BAsed on my search , what I see the below command should be run to enable the auditd index when logstash is used to collect the logs.
filebeat setup --pipelines --modules auditd
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules-quickstart.html#load-ingest-pipelines
Should I need to run this on all hosts which have filebeat installed or just only in the eLK server ?
Regards
Nandha
warkolm
(Mark Walkom)
February 20, 2019, 10:57pm
8
Nope
It needs to be on all hosts you want to collect that info from.
Sorry I misread that one. You don't need to run the setup on every host. You do need to enable the module on every host.
nandha_88
(nandha)
February 21, 2019, 4:53pm
9
Hi Warkolm,
I have enabled the audit module in the filebeat and able to see the harvester for the audit.log when I restart the filebeat.
Now the logs are not shipped into logstash and end with the below error. Please help.
{"source":"/var/log/audit/audit.log","prospector":{"type":"log"},"beat":{"version":"6.2.2","name":"test.example.com ","hostname":"test.example.com "},"message":"type=EXECVE msg=audit(1550767742.671:15104841): argc=3 a0="sed" a1="-e" a2="s|:|\\:|"","offset":7677297,"host":"test.example.com ","@timestamp ":"2019-02-21T16:49:09.398Z","@version ":"1","fileset":{"module":"auditd","name":"log"},"tags":["beats_input_codec_plain_applied","_grokparsefailure"]
Once this issue completed , I will check with index fields.
Regards
Nandha
nandha_88
(nandha)
February 26, 2019, 6:10am
10
Hi All,
I started using the auditbeat module.
Please share the rule to add to auditbeat.yml to record all the commands running in the system and forward to elasticsearch
Regards
Nandha
system
(system)
Closed
March 26, 2019, 6:18am
11
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.