Auditbeat dashboard in kibana shows empty results

Hi All ,

I am trying to build a monitoring system for auditctl using auditbeat on Elasticsearch 7.8.1 and Kibana 7.8.1. Everything is successfully setup , including auditbeat. But the auditbeat dashboard seems empty when i attempt to view the auditd related info. I have verified auditbeat rules are set properly and it's index is running (hope am correct). Not sure what else to do. Kindly guide , thanks



Uploading: 3.jpg...


Uploading: 5.jpg...

auditbeat.yml config

[root@lxansidev02 elk]# grep -v "#" /etc/auditbeat/auditbeat.yml
auditbeat.modules:
- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
    -a always,exit -F arch=b32 -S all -F key=32bit-abi
    -a always,exit -F arch=b64 -S execve,execveat -k exec
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wrxa -k identity
    -w /etc/gshadow -p wa -k identity
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
- module: system
  datasets:
- module: system
  datasets:
  state.period: 12h
  user.detect_password_changes: true
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*
  setup.template.settings:
  index.number_of_shards: 1
  setup.kibana:
  host: "localhost:5601"
  output.elasticsearch:
  hosts: ["localhost:9200"]
  username: "elastic"
  password: "admin"
  index: 'auditbeat'
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
setup.template.enabled: false

docker-compose.yml config

[root@lxansidev02 elk]# cat docker-compose.yml
version: '3'
services:
  elasticsearch:
    image: elasticsearch:7.8.1
    ports:
      - 9200:9200
    environment:
      discovery.type: 'single-node'
      xpack.security.enabled: 'true'
      ELASTIC_PASSWORD: 'admin'
  kibana:
    image: kibana:7.8.1
    volumes:
      - ./kibana.yml:/usr/share/kibana/config/kibana.yml
    ports:
      - 5601:5601

Elasticsearch 7.8 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

It looks like there are some 400k events from Auditbeat. I would check the Discovery tab and query for event.module: auditd and expand the time range to see if there are any events at all from auditd.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.