[Auditbeat 7.6 - 7.2] Processor not working

Elastic Stack Beats
1

Hi all,
I have problem about auditbeat processor.
I have entry log, I config processor drop_event when user.name: "root" but system not woking (event not droped):

Processor Config:

processors:
 - drop_event:
     when:
        contains:
          user.name: "root"

Log entry:

{
  "_index": "auditbeat-7.6.0-2020.02",
  "_type": "_doc",
  "_id": "YlikgHABtt-vWiG1ysfn",
  "_version": 1,
  "_score": null,
  "_source": {
    "@timestamp": "2020-02-26T08:37:27.420Z",
    "user": {
      "effective": {
        "group": {
          "name": "root",
          "id": "0"
        },
        "id": "0",
        "name": "root"
      },
      "group": {
        "id": "0",
        "name": "root"
      },
      "name": "root",
      "saved": {
        "name": "root",
        "group": {
          "id": "0",
          "name": "root"
        },
        "id": "0"
      },
      "id": "0",
      "filesystem": {
        "name": "root",
        "id": "0",
        "group": {
          "id": "0",
          "name": "root"
        }
      },
      "audit": {
        "name": "root",
        "id": "0"
      }
    },
    "process": {
      "title": "ls --color=auto -l --color=auto",
      "name": "ls",
      "executable": "/usr/bin/ls",
      "args": [
        "ls",
        "--color=auto",
        "-l",
        "--color=auto"
      ],
      "pid": 24279,
      "ppid": 5201
    },
    "tags": [
      "rootcmd"
    ],
    "host": {
      "architecture": "x86_64",
      "os": {
        "codename": "Core",
        "platform": "centos",
        "version": "7 (Core)",
        "family": "redhat",
        "name": "CentOS Linux",
        "kernel": "3.10.0-693.2.2.el7.x86_64"
      },
      "name": "MCR-LIVE-BACKUP",
      "id": "f955206775b64e62acdcd881d0e1d4f3",
      "containerized": false,
      "hostname": "MCR-LIVE-BACKUP"
    },
    "agent": {
      "id": "962daac4-770f-4cdd-949c-984c914a76ae",
      "version": "7.6.0",
      "type": "auditbeat",
      "ephemeral_id": "958a5241-678f-42ea-958f-02c099decd7b",
      "hostname": "MCR-LIVE-BACKUP"
    },
    "event": {
      "module": "auditd",
      "category": "audit-rule",
      "action": "executed",
      "outcome": "success"
    },
    "file": {
      "device": "00:00",
      "inode": "100679299",
      "mode": "0755",
      "uid": "0",
      "gid": "0",
      "owner": "root",
      "group": "root",
      "path": "/usr/bin/ls"
    },
    "auditd": {
      "sequence": 972496,
      "result": "success",
      "data": {
        "tty": "pts0",
        "a3": "7ffde00a2720",
        "a0": "13fae10",
        "argc": "4",
        "a2": "13fae50",
        "arch": "x86_64",
        "syscall": "execve",
        "exit": "0",
        "a1": "13efef0"
      },
      "session": "79464",
      "summary": {
        "actor": {
          "primary": "root",
          "secondary": "root"
        },
        "object": {
          "primary": "/usr/bin/ls",
          "type": "file"
        },
        "how": "/usr/bin/ls"
      },
      "paths": [
        {
          "inode": "100679299",
          "item": "0",
          "ouid": "0",
          "objtype": "NORMAL",
          "ogid": "0",
          "rdev": "00:00",
          "dev": "fd:00",
          "mode": "0100755",
          "name": "/usr/bin/ls"
        },
        {
          "dev": "fd:00",
          "inode": "716939",
          "item": "1",
          "objtype": "NORMAL",
          "ogid": "0",
          "mode": "0100755",
          "name": "/lib64/ld-linux-x86-64.so.2",
          "ouid": "0",
          "rdev": "00:00"
        }
      ],
      "message_type": "syscall"
    },
    "service": {
      "type": "auditd"
    },
    "ecs": {
      "version": "1.4.0"
    }
  },
  "fields": {
    "@timestamp": [
      "2020-02-26T08:37:27.420Z"
    ]
  },
  "sort": [
    1582706247420
  ]
}

Can you help me?

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.