Hello all,
I run auditbeat 7.1.0 and i can't disable the ssh log for auditbeat.
On the graylog i get this:
auditbeat_auditd_data_op
PAM:session_open
auditbeat_auditd_data_terminal
ssh
On the auditbeat config file i have this:
- module: auditd
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
-w /etc -p wa -k etc
The module system for login is comment out
Hi @nopma - services like pam and openssh send login events to auditd by default, and that is likely what you are seeing. You could configure Auditbeat to drop those events using a drop_event processor.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.