Auditbeat 7.11 on Ubuntu doesn't read /var/log/btmp

Supp0rt · February 12, 2021, 8:26am

Hi,
I installed auditbeat 7.11.2 on Ubuntu 16.04 and Centos 7 to read login from file /var/log/wtmp
and /var/log/btmp .

On Centos 7 all registers are read correctly.
On Ubuntu, only login and logout are collected. No entry for logfail (the entries in /var/log/btmp).
Auditbeat on Ubuntu seems not to read this event and not send it to elasticsearch

What could be the problem?
I am also attaching the auditbeat.yml configuration. The file is the same both Centos and Ubuntu.

    auditbeat.modules:
    - module: system
      datasets:
        - login   # User logins, logouts, and system boots.
      state.period: 12h
      period: 30s
      user.detect_password_changes: true
      login.wtmp_file_pattern: /var/log/wtmp*
      login.btmp_file_pattern: /var/log/btmp*
    setup.template.settings:
      index.number_of_shards: 1
    setup.kibana:
      host: "xxx.xxx.xxx.xxx:5601"
      username: "username"
      password: "password"
      #space.id:
    output.elasticsearch:
      hosts: ["xxx.xxx.xxx.xxx:9200"]
      username: "username"
      password: "password"
    processors:
      - add_host_metadata: ~
      - add_cloud_metadata: ~
      - add_docker_metadata: ~

system · March 12, 2021, 10:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Tailing /var/log/secure Beats auditbeat	1	482	June 10, 2020
Auditbeat collects old data on Linux system Beats auditbeat	1	443	March 10, 2022
Unable to start Auditbeat on LXC container Beats auditbeat	9	3951	November 4, 2022
Auditbeat not picking up authentication events in CentOs 7 Beats auditbeat	4	2794	February 9, 2019
Auditbeat authentications log Beats auditbeat	1	301	September 7, 2023

Auditbeat 7.11 on Ubuntu doesn't read /var/log/btmp

Related topics