Auditbeat 7.11 on Ubuntu doesn't read /var/log/btmp

Supp0rt · February 12, 2021, 8:26am

Hi,
I installed auditbeat 7.11.2 on Ubuntu 16.04 and Centos 7 to read login from file /var/log/wtmp
and /var/log/btmp .

On Centos 7 all registers are read correctly.
On Ubuntu, only login and logout are collected. No entry for logfail (the entries in /var/log/btmp).
Auditbeat on Ubuntu seems not to read this event and not send it to elasticsearch

What could be the problem?
I am also attaching the auditbeat.yml configuration. The file is the same both Centos and Ubuntu.

    auditbeat.modules:
    - module: system
      datasets:
        - login   # User logins, logouts, and system boots.
      state.period: 12h
      period: 30s
      user.detect_password_changes: true
      login.wtmp_file_pattern: /var/log/wtmp*
      login.btmp_file_pattern: /var/log/btmp*
    setup.template.settings:
      index.number_of_shards: 1
    setup.kibana:
      host: "xxx.xxx.xxx.xxx:5601"
      username: "username"
      password: "password"
      #space.id:
    output.elasticsearch:
      hosts: ["xxx.xxx.xxx.xxx:9200"]
      username: "username"
      password: "password"
    processors:
      - add_host_metadata: ~
      - add_cloud_metadata: ~
      - add_docker_metadata: ~

system · March 12, 2021, 10:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat collects old data on Linux system Beats auditbeat	1	443	March 10, 2022
Auditbeat authentications log Beats auditbeat	1	301	September 7, 2023
Filebeat on Centos7 not properly starting or logging Beats filebeat	3	1872	July 5, 2019
I use auditbeat 8.6.2, can't find no login shell command Beats auditbeat	1	362	March 28, 2023
Filebeat is not authenticating with elasticsearch after xpack was enabled Beats filebeat	6	2019	July 14, 2021

Auditbeat 7.11 on Ubuntu doesn't read /var/log/btmp

Related Topics