I am new to ELK...
I have installed single node... Elasticsearch.. auditbeat and Kibana.... i can see documents in elasticsearch/kibana on default audits enabled bu auditbeat; not the one i enabled.
[root@elk-testing-server auditbeat]# pwd
/etc/auditbeat
[root@elk-testing-server auditbeat]# grep -i testfolder auditbeat.yml
-w /tmp/temp/testfolder -p rwxa -k testfolder_change1
[root@elk-testing-server auditbeat]#
I see audit tag has some information in audit log; but this information not available via Kibana/Elasticsearch
[root@elk-testing-server auditbeat]# ausearch -k testfolder_change1 | aureport -f -i
File Report
date time file syscall success exe auid event
===============================================
- 03/13/2019 09:56:28 /tmp/temp/testfolder getxattr no /usr/bin/ls tamilanbu01114 4866
- 03/13/2019 09:56:28 /tmp/temp/testfolder getxattr no /usr/bin/ls tamilanbu01114 4867
- 03/13/2019 09:56:28 /tmp/temp/testfolder lgetxattr no /usr/bin/ls tamilanbu01114 4865
- 03/13/2019 09:56:57 /tmp/temp/testfolder fchmodat yes /usr/bin/chmod tamilanbu01114 4868
- 03/13/2019 09:57:18 /tmp/temp/testfolder fchmodat yes /usr/bin/chmod tamilanbu01114 4869
- 03/13/2019 10:10:21 /tmp/temp/testfolder/ lgetxattr no /usr/bin/ls tamilanbu01114 4905
- 03/13/2019 10:10:21 /tmp/temp/testfolder/ getxattr no /usr/bin/ls tamilanbu01114 4906
- 03/13/2019 10:10:21 /tmp/temp/testfolder/ getxattr no /usr/bin/ls tamilanbu01114 4907
- 03/13/2019 10:10:36 /tmp/temp/testfolder/ fchmodat yes /usr/bin/chmod tamilanbu01114 4908
- 03/13/2019 10:10:40 /tmp/temp/testfolder/ lgetxattr no /usr/bin/ls tamilanbu01114 4909
- 03/13/2019 10:10:40 /tmp/temp/testfolder/ getxattr no /usr/bin/ls tamilanbu01114 4910
- 03/13/2019 10:10:40 /tmp/temp/testfolder/ getxattr no /usr/bin/ls tamilanbu01114 4911
[root@elk-testing-server auditbeat]# curl localhost:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana_1 8fUBWMMqTH2mhUAcesPr2w 1 0 36 0 103.7kb 103.7kb
yellow open sshd_fail-2019.03 vk6cMATHTv-tLNmEF1Axrw 5 1 243 0 330kb 330kb
yellow open auditbeat-6.6.2-2019.03.13 -kHJXMO9TKqi8gWHXPBCYg 3 1 5593 0 4.8mb 4.8mb
[root@elk-testing-server auditbeat]#