Auditbeat 7.11 on Ubuntu doesn't read /var/log/btmp

Hi,
I installed auditbeat 7.11.2 on Ubuntu 16.04 and Centos 7 to read login from file /var/log/wtmp
and /var/log/btmp .

On Centos 7 all registers are read correctly.
On Ubuntu, only login and logout are collected. No entry for logfail (the entries in /var/log/btmp).
Auditbeat on Ubuntu seems not to read this event and not send it to elasticsearch

What could be the problem?
I am also attaching the auditbeat.yml configuration. The file is the same both Centos and Ubuntu.

    auditbeat.modules:
    - module: system
      datasets:
        - login   # User logins, logouts, and system boots.
      state.period: 12h
      period: 30s
      user.detect_password_changes: true
      login.wtmp_file_pattern: /var/log/wtmp*
      login.btmp_file_pattern: /var/log/btmp*
    setup.template.settings:
      index.number_of_shards: 1
    setup.kibana:
      host: "xxx.xxx.xxx.xxx:5601"
      username: "username"
      password: "password"
      #space.id:
    output.elasticsearch:
      hosts: ["xxx.xxx.xxx.xxx:9200"]
      username: "username"
      password: "password"
    processors:
      - add_host_metadata: ~
      - add_cloud_metadata: ~
      - add_docker_metadata: ~

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.