Good afternoon,
I am working on an integration between auditbeat + logstash + splunk
I have my auditbeat configuration from one of my nodes, pointing to my logstash
cat auditbeat.yml
###################### Auditbeat Configuration #########################
auditbeat.modules:
#FIM directories
- module: file_integrity
paths:- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- /var/lib/docker
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
hash_types: [sha1]
recursive: false
#Security auditd events
-
module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
audit_rules: |
-w /var/log/audit -k audit_log_access#sshd monitoring
-w /etc/ssh/sshd_config -p wxa -k sshd_configchange
#network time changes
-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules
-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules
-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules
-w /etc/localtime -p wa -k audit_time_rules
#Users & groups
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes
#Network configurations
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_network_modifications
-w /etc/issue -p wa -k audit_network_modifications
-w /etc/issue.net -p wa -k audit_network_modifications
-w /etc/hosts -p wa -k audit_network_modifications
-w /etc/sysconfig/network -p wa -k audit_network_modifications
#SELinux
-w /etc/selinux/ -p wa -k MAC-policy
#Login, Logout & sessions
-w /var/log/tallylog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
#Sudoers
-w /etc/sudoers -p wa -k actions
#Kernel modules
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
#-------------------------- Logstash output ------------------------------
output.logstash:
The Logstash hosts
hosts: ["xxxxxxxxxx:5044"]
timeout: 30
index: "auditbeat"
tags: ["auditbeat", "cdc"]
#================================ Logging =====================================
Sets log level. The default log level is info.
Available log levels are: critical, error, warning, info, debug
#logging.level: debug
and my logsthas send the events to splunk via a pipeline config.
cat 81_output.splunk.conf
input {
pipeline { address => "output.splunk" }
}
filter {
mutate {
add_field => {
"[@metadata][lsparams_index_suffix]" => ""
}
}
}
output {
http {
http_method => "post"
cacert => "/etc/logstash/ auth/cacert.pem"
client_cert => "/etc/logstash/ auth/server.der"
client_key => "/etc/logstash/ auth/privkey.pem"
url => "https://xxxxxxxxxxxxxx:8088/services/collector"
headers => ["Authorization", "Splunk xxxxxxxxxxxx"]
mapping => {
"event" => "%{log}"
}
}
}
I am getting the following error in logstash at startup
{"level":"ERROR","loggerName":"logstash.outputs.http","timeMillis":1637941666939,"thread":"[output.splunk]>worker1","logEvent":{"message":"[HTTP Output Failure] Could not fetch URL","url":"https://xxxxxxxxxx:8088/services/collector","method":{"metaClass":{"metaClass":{"metaClass":{"method":"post","message":"invalid byte sequence in UTF-8","class":"ArgumentError","will_retry":false}}}}}}
What could be the problem?