Auditbeat disable login log

nopma · May 27, 2019, 7:57am

Hello all,

I run auditbeat 7.1.0 and i can't disable the ssh log for auditbeat.
On the graylog i get this:

auditbeat_auditd_data_op
PAM:session_open
auditbeat_auditd_data_terminal
ssh

On the auditbeat config file i have this:

 - module: auditd
   audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
   audit_rules: |
     -w /etc -p wa -k etc

The module system for login is comment out

cwurm · June 6, 2019, 5:50pm

Hi @nopma - services like pam and openssh send login events to auditd by default, and that is likely what you are seeing. You could configure Auditbeat to drop those events using a drop_event processor.

Topic		Replies	Views
SSH Access Rule Beats auditbeat	4	821	July 4, 2020
Log All User's Shell Activity Beats auditbeat	3	3987	September 8, 2018
Duplicate audit logs for successful logins in auditbeat Beats auditbeat	7	2046	May 30, 2019
Auditbeat on Windows core with sshd Beats auditbeat	1	310	September 8, 2022
Auditbeat - auditd module default rules Beats auditbeat	2	482	September 29, 2022

Auditbeat disable login log

Related topics