Audit log


(nandha) #1

Hi All,

Please provide us a better solution.
Our setup is below and right now we need to monitor user activities in the linux server.

Filebeat -> logstash -> eS -> kibana

Please share whether we can use the same filebeat model to gather the logs or we can install & use the audit beat to gather the user log.

Regards
Nandha


(Mark Walkom) #2

If you want low level info then use auditbeat, otherwise use filebeat to collect the system logs.


(nandha) #3

Hi Warkolm,

Thanks. I will use the filebeat modules and try to gather the logs.
But how to index the log values based on the input.
I need the same kind of output as in the auditbeat

Esp I need timestamp , process or command executed and user run the command

Regards
Nandha


(Mark Walkom) #4

That will depend on what the logs contain.


(nandha) #5

Hi Warolm,

I have installed ELK in the fresh server as the below setup

ELK installed in one server
filebeat installed in the client machine with systemd and auditd module enabled

I have give the logstash IP in the filebeabt.yml to forward the log.

Please share the step to load the index which will give the system and auditd columns


#6

What do the logfile entries look like?


(nandha) #7

Hi Badger,

BAsed on my search , what I see the below command should be run to enable the auditd index when logstash is used to collect the logs.

filebeat setup --pipelines --modules auditd

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules-quickstart.html#load-ingest-pipelines

Should I need to run this on all hosts which have filebeat installed or just only in the eLK server ?

Regards
Nandha


(Mark Walkom) #8
Nope

It needs to be on all hosts you want to collect that info from.

Sorry I misread that one. You don't need to run the setup on every host. You do need to enable the module on every host.


(nandha) #9

Hi Warkolm,

I have enabled the audit module in the filebeat and able to see the harvester for the audit.log when I restart the filebeat.

Now the logs are not shipped into logstash and end with the below error. Please help.

{"source":"/var/log/audit/audit.log","prospector":{"type":"log"},"beat":{"version":"6.2.2","name":"test.example.com","hostname":"test.example.com"},"message":"type=EXECVE msg=audit(1550767742.671:15104841): argc=3 a0="sed" a1="-e" a2="s|:|\\:|"","offset":7677297,"host":"test.example.com","@timestamp":"2019-02-21T16:49:09.398Z","@version":"1","fileset":{"module":"auditd","name":"log"},"tags":["beats_input_codec_plain_applied","_grokparsefailure"]

Once this issue completed , I will check with index fields.

Regards
Nandha


(nandha) #10

Hi All,

I started using the auditbeat module.
Please share the rule to add to auditbeat.yml to record all the commands running in the system and forward to elasticsearch

Regards
Nandha


(system) closed #11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.