Auditbeat logs write to /var/log/messages

masonlu2014 · September 14, 2022, 4:03am

hi guys,

we are sawing weird issue, we are using auditbeat as pod running on our kubenets cluster, however in some day, we saw there is a large audit events has been write to our work node /var/log/message, and i can confirm auditd service has been disable on the work node. so anything reason happen on this ? thanks for help

masonlu2014 · September 14, 2022, 4:20am

a lot auditd events write in /var/log/messages in short time

Sep  7 18:16:52 node-v88jz-11 audit: PROCTITLE proctitle=2F6E657464002D2D64697361626C652D746573736E65742D66696E616C697A65723D74727565002D2D636F6E6669673D2F6D6E742F6970616D2D636F6E6669672F636F6E6669672E6A736F6E002D2D656E61626C652D746C626D656D6265722D636F6E74726F6C6C65723D74727565002D2D746C626D656D6265722D776F726B
Sep  7 18:16:52 node-v88jz-11 audit[57547]: SYSCALL arch=c000003e syscall=281 success=yes exit=0 a0=3 a1=c001049800 a2=80 a3=0 items=0 ppid=57169 pid=57547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="admission-serve" exe="/admission-server" subj=? key=(null)
Sep  7 18:16:52 node-v88jz-11 audit[57547]: SYSCALL arch=c000003e syscall=281 success=yes exit=0 a0=3 a1=c001049800 a2=80 a3=0 items=0 ppid=57169 pid=57547 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="admission-serve" exe="/admission-server" subj=? key=(null)
Sep  7 18:16:52 node-v88jz-11 audit[57923]: SYSCALL arch=c000003e syscall=202 success=yes exit=0 a0=c0047e2148 a1=80 a2=0 a3=0 items=0 ppid=60774 pid=57923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netd" exe="/netd" subj=? key=(null)
Sep  7 18:16:52 node-v88jz-11 audit[57923]: SYSCALL arch=c000003e syscall=202 success=yes exit=0 a0=c0047e2148 a1=80 a2=0 a3=0 items=0 ppid=60774 pid=57923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netd" exe="/netd" subj=? key=(null)
Sep  7 18:16:52 node-v88jz-11 audit: PROCTITLE proctitle=2F61646D697373696F6E2D736572766572002D2D61757468656E7469636174696F6E2D6B756265636F6E6669673D2F6574632F6170697365727665722F6167672D6B756265636F6E666967002D2D61757468656E7469636174696F6E2D736B69702D6C6F6F6B75703D74727565002D2D617574686F72697A6174696F6E2D6B75

andrewkroh · September 15, 2022, 1:13pm

I can think of a two things to check.

journald can receive audit events over multicast and log them. You can disable it with systemctl mask systemd-journald-audit.socket.
The kernel has a feature to optionally write messages using printk. You can control this with Auditbeat by adding failure_mode: silent (see docs). You can check the value with auditctl -s (from auditd) or auditbeat show auditd-status.

masonlu2014 · September 16, 2022, 12:32pm

thanks andrewkroh, let me try that

system · October 14, 2022, 2:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configure module Auditd with Kubectl [Auditbeat 7.9.2] Beats auditbeat	2	457	April 12, 2021
How can I tell if Auditbeat is grouping syscall messages? Beats auditbeat	8	1112	November 4, 2022
Filebeat auditd module Beats filebeat	4	542	October 10, 2018
Auditbeat only sending metrics, not events Beats auditbeat	1	530	February 5, 2020
Auditbeat monitor pod audit events Beats auditbeat	1	305	October 24, 2022

Auditbeat logs write to /var/log/messages

Related topics