Audit log

(nandha) #1

Hi All,

Please provide us a better solution.
Our setup is below and right now we need to monitor user activities in the linux server.

Filebeat -> logstash -> eS -> kibana

Please share whether we can use the same filebeat model to gather the logs or we can install & use the audit beat to gather the user log.


(Mark Walkom) #2

If you want low level info then use auditbeat, otherwise use filebeat to collect the system logs.

(nandha) #3

Hi Warkolm,

Thanks. I will use the filebeat modules and try to gather the logs.
But how to index the log values based on the input.
I need the same kind of output as in the auditbeat

Esp I need timestamp , process or command executed and user run the command


(Mark Walkom) #4

That will depend on what the logs contain.

(nandha) #5

Hi Warolm,

I have installed ELK in the fresh server as the below setup

ELK installed in one server
filebeat installed in the client machine with systemd and auditd module enabled

I have give the logstash IP in the filebeabt.yml to forward the log.

Please share the step to load the index which will give the system and auditd columns


What do the logfile entries look like?

(nandha) #7

Hi Badger,

BAsed on my search , what I see the below command should be run to enable the auditd index when logstash is used to collect the logs.

filebeat setup --pipelines --modules auditd

Should I need to run this on all hosts which have filebeat installed or just only in the eLK server ?


(Mark Walkom) #8

It needs to be on all hosts you want to collect that info from.

Sorry I misread that one. You don't need to run the setup on every host. You do need to enable the module on every host.

(nandha) #9

Hi Warkolm,

I have enabled the audit module in the filebeat and able to see the harvester for the audit.log when I restart the filebeat.

Now the logs are not shipped into logstash and end with the below error. Please help.

{"source":"/var/log/audit/audit.log","prospector":{"type":"log"},"beat":{"version":"6.2.2","name":"","hostname":""},"message":"type=EXECVE msg=audit(1550767742.671:15104841): argc=3 a0="sed" a1="-e" a2="s|:|\\:|"","offset":7677297,"host":"","@timestamp":"2019-02-21T16:49:09.398Z","@version":"1","fileset":{"module":"auditd","name":"log"},"tags":["beats_input_codec_plain_applied","_grokparsefailure"]

Once this issue completed , I will check with index fields.


(nandha) #10

Hi All,

I started using the auditbeat module.
Please share the rule to add to auditbeat.yml to record all the commands running in the system and forward to elasticsearch


(system) closed #11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.