Hi All,
How can I configure auditbeat to log all commands executed by users ?
I am asking it because when i execute "echo test" command, it is not logged by auditbeat, but when i execute "/usr/bin/echo test" command, it is logged successfully
Hi All,
How can I configure auditbeat to log all commands executed by users ?
I am asking it because when i execute "echo test" command, it is not logged by auditbeat, but when i execute "/usr/bin/echo test" command, it is logged successfully
echo test
is using a "shell built-in" (like env, export, etc.) and those do not generate process events because they are not new Linux processes. It's something that is happening within the existing shell process as opposed to executing an execve
system call to launch a new process.
If you want to monitor what is being entered into a shell then one option is to enable the Linux pam_tty_audit module. The causes auditd events to be emitted as keystrokes are entered into the terminal.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.