I've setup Auditbeat to report on Docker activity but I don't see the parameters. For example if a user types docker exec auditbeat env, the resulting Auditbeat record just has { "auditd" : { "data": { "op": "exec"... but there's no parameters. What did they execute? I don't know because I don't see any parameters in the audit record.
Is this normal? Do I need to change a configuration to see the parameters?
How did you do this? Please show the configuration that you are using, OS version, and the Auditbeat version.
Are you monitoring execve syscalls? I would use something like:
auditbeat.modules:
- module: auditd
audit_rules: |
-a always,exit -F arch=b64 -S execve,execveat -k exec
processors:
- add_docker_metadata: ~Container: Centos 7.4 - Linux 3.10
OS Host: Centos 7.2 - Linux 3.10
Auditbeat 6.2.4
Configuration below:
auditbeat.modules:
I'm not monitoring execve syscalls. I'll try that. I'm trying to avoid a lot of noise.
I added those rules and it looks a lot better. Thanks!
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.