Auditbeat event types


(grant) #1

Is there a list of auditbeat event types and categories? It seems that auditbeat is logging authentication events when I don't see anything besides 1 single rule in my auditbeat.yml config file so I'm curious if there is ways to turn on and off specific categories and a comprehensive list of what is available. I don't see any documentation that shows "user-login" events are coming from when they contain no tags, meanwhile there are events with my tag with a category of "audit-rule".


(Andrew Kroh) #2

Auditbeat subscribes to all events from the kernel's audit framework. Even if you configure no audit rules there are still events that get generated by other processes that publish audit events (like PAM, su, sudo).

You can add a processor to your configuration if you want to drop events. For example if you only wanted to receive events related to audit rules that you configured you could filter use

auditbeat.modules:
- module: auditd
  processors:
  - drop_event.when.not.equals.event.category: "audit-rule"
  audit_rules: |
    # my audit rules

Linux has a list of audit event types. These map to event.type in Auditbeat. The value is lowercased and the leading AUDIT_ is removed.

The event.category field comes from Auditbeat. It sets the category based on the event.type value. You can see the list of categories in the code at https://github.com/elastic/go-libaudit/blob/bc29b128d4099fb834634afb535241f1608fb2f0/aucoalesce/event_type.go#L45-L63.


Configuring Auditbeat to only report modifications to files I want to monitor