Hi,
I installed auditbeat 7.11.2 on Ubuntu 16.04 and Centos 7 to read login from file /var/log/wtmp
and /var/log/btmp
.
On Centos 7 all registers are read correctly.
On Ubuntu, only login and logout are collected. No entry for logfail (the entries in /var/log/btmp
).
Auditbeat on Ubuntu seems not to read this event and not send it to elasticsearch
What could be the problem?
I am also attaching the auditbeat.yml configuration. The file is the same both Centos and Ubuntu.
auditbeat.modules:
- module: system
datasets:
- login # User logins, logouts, and system boots.
state.period: 12h
period: 30s
user.detect_password_changes: true
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "xxx.xxx.xxx.xxx:5601"
username: "username"
password: "password"
#space.id:
output.elasticsearch:
hosts: ["xxx.xxx.xxx.xxx:9200"]
username: "username"
password: "password"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~