Auditbeat - auditd module default rules

Ppetro · August 30, 2022, 9:45am

Hi,

I am testing Auditbeat with auditd module. I have noticed that even if I don't have any auditd rule listed in my config, I can still see some events generated by this module.

I did some research here on the forum and other communities, and I found some info that PAM events are logged by default (which seems to be the case). Is there any documentation where I can find what exactly is logged by default?
Commands auditbeat show auditd-rules or auditctl -l show "no rules", but this is not right

MichelLaterman · September 1, 2022, 7:34pm

I believe these event have more to do with the PAM service as opposed to auditd, stackoverflow has the same question security - What does auditd log by default (i.e. when no rules are defined?) - Server Fault

system · September 29, 2022, 9:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Config Auditbeat Beats auditbeat	1	381	March 14, 2023
Auditbeat only sending metrics, not events Beats auditbeat	1	530	February 5, 2020
Delete audit rules on server Beats auditbeat	4	347	January 4, 2024
Correlation between auditd and system module Beats auditbeat	1	316	July 9, 2020
Auditbeat event types Beats auditbeat	2	1393	November 4, 2022

Auditbeat - auditd module default rules

Related topics