The process dataset of the system module of auditbeat does not register short running processes. (version = 7.8.1). E.g. cat of small file will not show up in auditbeat index, cat of a bigger file will. Both cat's do show up in auditd when running aureport -f | grep cat.
This is quite annoying for SIEM. E.g. the shred detector will not be triggered when used for small files. In auditbeat.yml period = 1s.
I found the issue: auditd was active on the system(s).
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.