Curious, does the Auditbeat auditd module have a space_left, admin_space_left or disk_full action like auditd does?
If my disk starts filling up I need syslog to start logging that I am running out of space, and if the disk fills up I need to system to halt.
Auditd currently does this but does Auditbeat? I see it has a failure_mode for kernel running out of memory.
Thanks,
Hi @ryannelle,
Auditbeat uses an internal in memory queue for audit events, see https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-internal-queue.html. You can fine tune several parameters, but in general events don't touch the disk.
6.3 will include spooling to disk, so items in the queue can be offloaded to disk, max size will be configurable: https://www.elastic.co/blog/brewing-in-beats-spooling-to-disk-in-Beats
Best regards
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.