Auditbeat disable login log

Hello all,

I run auditbeat 7.1.0 and i can't disable the ssh log for auditbeat.
On the graylog i get this:


On the auditbeat config file i have this:

 - module: auditd
   audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
   audit_rules: |
     -w /etc -p wa -k etc

The module system for login is comment out

Hi @nopma - services like pam and openssh send login events to auditd by default, and that is likely what you are seeing. You could configure Auditbeat to drop those events using a drop_event processor.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.