Auditbeat - auditd module default rules

Hi,

I am testing Auditbeat with auditd module. I have noticed that even if I don't have any auditd rule listed in my config, I can still see some events generated by this module.

I did some research here on the forum and other communities, and I found some info that PAM events are logged by default (which seems to be the case). Is there any documentation where I can find what exactly is logged by default?
Commands auditbeat show auditd-rules or auditctl -l show "no rules", but this is not right

I believe these event have more to do with the PAM service as opposed to auditd, stackoverflow has the same question security - What does auditd log by default (i.e. when no rules are defined?) - Server Fault

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.