Hello.
I'm having the following problems: I'm having machines with Debian 9.11 that run auditd (for managing the audit-rules) and auditbeat (version 7.5.1, for shipping the events off to logstash).
Even though the configuration for auditbeat is working and I see metrics sent to logstash (both in the journal of auditbeat as well as in logstash), I don't see any audit-events being processed.
My auditbeat.yml is this:
---
name: web01
fields_under_root: false
queue:
mem:
events: 4096
flush:
min_events: 0
timeout: 0s
logging:
level: info
selectors: :undef
to_syslog: false
to_eventlog: false
json: false
to_files: true
files:
path: "/var/log/auditbeat"
name: auditbeat
keepfiles: 7
rotateeverybytes: 10485760
permissions: '0600'
metrics:
enabled: true
period: 30s
output:
logstash:
hosts:
- log01:5000
- log02:5000
- log03:5000
ssl:
enabled: true
certificate_authorities:
- "/etc/ssl/certs/validcert.pem"
auditbeat:
modules:
- module: auditd
enabled: true
The only interesting message I see in the logs is:
[auditd] auditd/audit_linux.go:216 No audit_rules were specified.
Which is correct, I did not specify any rules. But auditbeat seems to acknowledge that there are rules present, according to auditbeat show auditd-rules. Could anyone provide some leads on how to solve this? Thank you!