I installed auditbeat 7.11.2 on Ubuntu 16.04 and Centos 7 to read login from file
On Centos 7 all registers are read correctly.
On Ubuntu, only login and logout are collected. No entry for logfail (the entries in
Auditbeat on Ubuntu seems not to read this event and not send it to elasticsearch
What could be the problem?
I am also attaching the auditbeat.yml configuration. The file is the same both Centos and Ubuntu.
auditbeat.modules: - module: system datasets: - login # User logins, logouts, and system boots. state.period: 12h period: 30s user.detect_password_changes: true login.wtmp_file_pattern: /var/log/wtmp* login.btmp_file_pattern: /var/log/btmp* setup.template.settings: index.number_of_shards: 1 setup.kibana: host: "xxx.xxx.xxx.xxx:5601" username: "username" password: "password" #space.id: output.elasticsearch: hosts: ["xxx.xxx.xxx.xxx:9200"] username: "username" password: "password" processors: - add_host_metadata: ~ - add_cloud_metadata: ~ - add_docker_metadata: ~