Auditbeat issue - custom audit rule not working

(Francis Tamilarasan) #1

I am new to ELK...

I have installed single node... Elasticsearch.. auditbeat and Kibana.... i can see documents in elasticsearch/kibana on default audits enabled bu auditbeat; not the one i enabled.


[root@elk-testing-server auditbeat]# pwd
/etc/auditbeat
[root@elk-testing-server auditbeat]# grep -i testfolder auditbeat.yml
-w /tmp/temp/testfolder -p rwxa -k testfolder_change1
[root@elk-testing-server auditbeat]#

I see audit tag has some information in audit log; but this information not available via Kibana/Elasticsearch

[root@elk-testing-server auditbeat]# ausearch -k testfolder_change1 | aureport -f -i

File Report

date time file syscall success exe auid event

===============================================

  1. 03/13/2019 09:56:28 /tmp/temp/testfolder getxattr no /usr/bin/ls tamilanbu01114 4866
  2. 03/13/2019 09:56:28 /tmp/temp/testfolder getxattr no /usr/bin/ls tamilanbu01114 4867
  3. 03/13/2019 09:56:28 /tmp/temp/testfolder lgetxattr no /usr/bin/ls tamilanbu01114 4865
  4. 03/13/2019 09:56:57 /tmp/temp/testfolder fchmodat yes /usr/bin/chmod tamilanbu01114 4868
  5. 03/13/2019 09:57:18 /tmp/temp/testfolder fchmodat yes /usr/bin/chmod tamilanbu01114 4869
  6. 03/13/2019 10:10:21 /tmp/temp/testfolder/ lgetxattr no /usr/bin/ls tamilanbu01114 4905
  7. 03/13/2019 10:10:21 /tmp/temp/testfolder/ getxattr no /usr/bin/ls tamilanbu01114 4906
  8. 03/13/2019 10:10:21 /tmp/temp/testfolder/ getxattr no /usr/bin/ls tamilanbu01114 4907
  9. 03/13/2019 10:10:36 /tmp/temp/testfolder/ fchmodat yes /usr/bin/chmod tamilanbu01114 4908
  10. 03/13/2019 10:10:40 /tmp/temp/testfolder/ lgetxattr no /usr/bin/ls tamilanbu01114 4909
  11. 03/13/2019 10:10:40 /tmp/temp/testfolder/ getxattr no /usr/bin/ls tamilanbu01114 4910
  12. 03/13/2019 10:10:40 /tmp/temp/testfolder/ getxattr no /usr/bin/ls tamilanbu01114 4911
    [root@elk-testing-server auditbeat]# curl localhost:9200/_cat/indices?v
    health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
    green open .kibana_1 8fUBWMMqTH2mhUAcesPr2w 1 0 36 0 103.7kb 103.7kb
    yellow open sshd_fail-2019.03 vk6cMATHTv-tLNmEF1Axrw 5 1 243 0 330kb 330kb
    yellow open auditbeat-6.6.2-2019.03.13 -kHJXMO9TKqi8gWHXPBCYg 3 1 5593 0 4.8mb 4.8mb
    [root@elk-testing-server auditbeat]#

(Andrew Kroh) #2

Can you please post the config file and the beginning of the auditbeat log file showing the first ~30s when it starts.

You are running both auditd and auditbeat?

(system) closed #3

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.