Hi All ,
I am trying to build a monitoring system for auditctl using auditbeat on Elasticsearch 7.8.1 and Kibana 7.8.1. Everything is successfully setup , including auditbeat. But the auditbeat dashboard seems empty when i attempt to view the auditd related info. I have verified auditbeat rules are set properly and it's index is running (hope am correct). Not sure what else to do. Kindly guide , thanks
Uploading: 3.jpg...
Uploading: 5.jpg...
auditbeat.yml config
[root@lxansidev02 elk]# grep -v "#" /etc/auditbeat/auditbeat.yml
auditbeat.modules:
- module: auditd
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -k exec
-w /etc/group -p wa -k identity
-w /etc/passwd -p wrxa -k identity
-w /etc/gshadow -p wa -k identity
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- module: system
datasets:
- module: system
datasets:
state.period: 12h
user.detect_password_changes: true
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "localhost:5601"
output.elasticsearch:
hosts: ["localhost:9200"]
username: "elastic"
password: "admin"
index: 'auditbeat'
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
setup.template.enabled: false
docker-compose.yml config
[root@lxansidev02 elk]# cat docker-compose.yml
version: '3'
services:
elasticsearch:
image: elasticsearch:7.8.1
ports:
- 9200:9200
environment:
discovery.type: 'single-node'
xpack.security.enabled: 'true'
ELASTIC_PASSWORD: 'admin'
kibana:
image: kibana:7.8.1
volumes:
- ./kibana.yml:/usr/share/kibana/config/kibana.yml
ports:
- 5601:5601