Hi All,
Please provide us a better solution.
Our setup is below and right now we need to monitor user activities in the linux server.
Filebeat -> logstash -> eS -> kibana
Please share whether we can use the same filebeat model to gather the logs or we can install & use the audit beat to gather the user log.
Regards
Nandha
If you want low level info then use auditbeat, otherwise use filebeat to collect the system logs.
Hi Warkolm,
Thanks. I will use the filebeat modules and try to gather the logs.
But how to index the log values based on the input.
I need the same kind of output as in the auditbeat
Esp I need timestamp , process or command executed and user run the command
Regards
Nandha
That will depend on what the logs contain.
Hi Warolm,
I have installed ELK in the fresh server as the below setup
ELK installed in one server
filebeat installed in the client machine with systemd and auditd module enabled
I have give the logstash IP in the filebeabt.yml to forward the log.
Please share the step to load the index which will give the system and auditd columns
What do the logfile entries look like?
Hi Badger,
BAsed on my search , what I see the below command should be run to enable the auditd index when logstash is used to collect the logs.
filebeat setup --pipelines --modules auditd
Should I need to run this on all hosts which have filebeat installed or just only in the eLK server ?
Regards
Nandha
It needs to be on all hosts you want to collect that info from.
Sorry I misread that one. You don't need to run the setup on every host. You do need to enable the module on every host.
Hi Warkolm,
I have enabled the audit module in the filebeat and able to see the harvester for the audit.log when I restart the filebeat.
Now the logs are not shipped into logstash and end with the below error. Please help.
{"source":"/var/log/audit/audit.log","prospector":{"type":"log"},"beat":{"version":"6.2.2","name":"test.example.com","hostname":"test.example.com"},"message":"type=EXECVE msg=audit(1550767742.671:15104841): argc=3 a0="sed" a1="-e" a2="s|:|\\:|"","offset":7677297,"host":"test.example.com","@timestamp":"2019-02-21T16:49:09.398Z","@version":"1","fileset":{"module":"auditd","name":"log"},"tags":["beats_input_codec_plain_applied","_grokparsefailure"]
Once this issue completed , I will check with index fields.
Regards
Nandha
Hi All,
I started using the auditbeat module.
Please share the rule to add to auditbeat.yml to record all the commands running in the system and forward to elasticsearch
Regards
Nandha
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.