Hi, Running Auditbeat 6.4.2 and the rules in the .yml file are:
audit_rules: |
-w /etc/auditbeat/auditbeat.yml -p wa -k auditbeat_issue
-w /etc/passwd -p wa -k passwd_changes
-w /PTC/ -p wr -k ptc_code_access
But the rules that are set when doing an auditctl -l are
-a never,exit -S all -F pid=28948
-w /etc/auditbeat/auditbeat.yml -p wa -k auditbeat_issue
-w /etc/passwd -p wa -k passwd_changes
-w /PTC/ -p wr -k ptc_code_access
Where is the first one coming from. Definitely appears to be from auditbeat as if I stop auditbeat, delete all the rules and restart it, back it comes with a different pid.
Complete yml file below.
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
#============================ Config Reloading ================================
# Config reloading allows to dynamically load modules. Each file which is
# monitored must contain one or multiple modules as a list.
auditbeat.config.modules:
# Glob pattern for configuration reloading
path: ${path.config}/conf.d/*.yml
# Period on which files under path should be checked for changes
reload.period: 10s
# Set to true to enable config reloading
reload.enabled: true
# Maximum amount of time to randomly delay the start of a metricset. Use 0 to
# disable startup delay.
auditbeat.max_start_delay: 10s
#========================== Modules configuration =============================
auditbeat.modules:
# The kernel metricset collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
- module: auditd
resolve_ids: true
failure_mode: log
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
audit_rules: |
-w /etc/auditbeat/auditbeat.yml -p wa -k auditbeat_issue
-w /etc/passwd -p wa -k passwd_changes
-w /PTC/ -p wr -k ptc_code_access
#================================ General ======================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
# If this options is not defined, the hostname is used.
name: ptc-desk-vm
#================================ Outputs ======================================
# Configure what output to use when sending the data collected by the beat.
#----------------------------- Logstash output ---------------------------------
output.logstash:
hosts: ["soptct62-02.location.ptc.com:5044"]
protocol: "https"
# output.console:
# pretty: true
#================================= Paths ======================================
# The data path for the auditbeat installation. This is the default base path
# for all the files in which auditbeat needs to store its data. If not set by a
# CLI flag or in the configuration file, the default for the data path is a data
# subdirectory inside the home path.
# path.data: /MON/data
# The logs path for a auditbeat installation. This is the default location for
# the Beat's log files. If not set by a CLI flag or in the configuration file,
# the default for the logs path is a logs subdirectory inside the home path.
# path.logs: /MON/logs
#============================== Dashboards =====================================
# I've been advised by the Auditbeat guru that it is better to manually add
# the dashboards. Must be done after the index template has been deployed
# The command is:
#auditbeat setup -e -d "*" \
# -E output.logstash.enabled=false \
# -E output.elasticsearch.hosts=['elasticstack:9200'] \
# -E setup.kibana.host=elasticstack:5601 \
# -E setup.dashboards.always_kibana=true
#============================== Template =====================================
# I have been advised by the Auditbeat guru that it is better to deploy
# the template manually. The command to do this is:
#auditbeat setup --template -E output.logstash.enabled=false \
# -E 'output.elasticsearch.hosts=["soptct62-02.ptc.com:9200"]'