I'm having the following problems: I'm having machines with Debian 9.11 that run auditd (for managing the audit-rules) and auditbeat (version 7.5.1, for shipping the events off to logstash).
Even though the configuration for auditbeat is working and I see metrics sent to logstash (both in the journal of auditbeat as well as in logstash), I don't see any audit-events being processed.
My auditbeat.yml is this:
- module: auditd
The only interesting message I see in the logs is:
[auditd] auditd/audit_linux.go:216 No audit_rules were specified.
Which is correct, I did not specify any rules. But auditbeat seems to acknowledge that there are rules present, according to auditbeat show auditd-rules. Could anyone provide some leads on how to solve this? Thank you!