Auditbeat - map changes to users

Hello, we are looking at leveraging auditbeat to replace a commercial FIM solution in use. One of our requirements is that any changes initiated by users, are mapped and notated in the logs. Is anyone aware of an easy way to append auditbeat logs with user information (where applicable)

Currently, the file_integrity module doesn't have information about the user causing the changes. However, if you're in a Linux system, you can also use the auditd module to monitor the filesystem.

For example, with the following audit rule:
-w /tmp/test -p wra -k fim

You can get all the accesses to the directory /tmp/test and its subdirectories, annotated with the user and process information:

{
  "@timestamp": "2018-06-07T04:15:36.317Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "doc",
    "version": "7.0.0-alpha1"
  },
  "event": {
    "action": "opened-file",
    "module": "auditd",
    "category": "audit-rule",
    "type": "syscall"
  },
  "user": {
    "euid": "0",
    "name_map": {
      "sgid": "root",
      "suid": "root",
      "auid": "vagrant",
      "fsuid": "root",
      "fsgid": "root",
      "gid": "root",
      "uid": "root",
      "egid": "root",
      "euid": "root"
    },
    "uid": "0",
    "suid": "0",
    "sgid": "0",
    "gid": "0",
    "fsgid": "0",
    "egid": "0",
    "auid": "1000",
    "fsuid": "0"
  },
  "beat": {
    "name": "ubuntu-bionic",
    "hostname": "ubuntu-bionic",
    "version": "7.0.0-alpha1"
  },
  "host": {
    "name": "ubuntu-bionic"
  },
  "process": {
    "cwd": "/tmp/test/subdir",
    "pid": "4897",
    "ppid": "4896",
    "title": "su",
    "name": "bash",
    "exe": "/bin/bash"
  },
  "file": {
    "group": "root",
    "path": "hello",
    "device": "00:00",
    "inode": "272889",
    "mode": "0644",
    "uid": "0",
    "gid": "0",
    "owner": "root"
  },
  "tags": [
    "fim"
  ],
  "auditd": {
    "paths": [
      {
        "ouid": "0",
        "rdev": "00:00",
        "cap_fe": "0",
        "cap_fver": "0",
        "dev": "08:01",
        "item": "0",
        "name": "/tmp/test/subdir",
        "ogid": "0",
        "cap_fi": "0000000000000000",
        "cap_fp": "0000000000000000",
        "inode": "272888",
        "mode": "040755",
        "nametype": "PARENT"
      },
      {
        "cap_fp": "0000000000000000",
        "dev": "08:01",
        "mode": "0100644",
        "ogid": "0",
        "cap_fe": "0",
        "cap_fi": "0000000000000000",
        "cap_fver": "0",
        "inode": "272889",
        "item": "1",
        "name": "hello",
        "nametype": "CREATE",
        "ouid": "0",
        "rdev": "00:00"
      }
    ],
    "sequence": 1570,
    "result": "success",
    "session": "13",
    "data": {
      "a2": "241",
      "syscall": "openat",
      "a0": "ffffff9c",
      "arch": "x86_64",
      "tty": "pts1",
      "exit": "3",
      "a3": "1b6",
      "a1": "55c23d62f120"
    },
    "summary": {
      "actor": {
        "primary": "vagrant",
        "secondary": "root"
      },
      "object": {
        "type": "file",
        "primary": "hello"
      },
      "how": "/bin/bash"
    }
  }
}

Awesome, thank you for the response Adrian!! I had trouble getting some of the auditd rules to work, but probably yaml issues. I'll give it a shot again. Thanks so much!!

Hello adrisr,

What if i´m monitoring a Windows file Server? How can I log the user info?

Thank you in advance.