Hi Andrew, that makes sense, but what rule (based on the above rules) are sending the following types of messages across? ptcdeskvm and ptcdeskfs have the same rules and we see them for both.
I understand about filtering the messages out using things like logstash and have for things like TSM back up running against the /PTC directory, but these are not being sent by any of the rules that I can see. So wondering where they are coming from.
@timestamp November 17th 2018, 09:35:01.200
t @version 1
t _id 1FgGIWcBOPn74kFzBq2n
t _index auditbeat-6.6.0-2018.11.17
# _score -
t _type doc
t auditd.data.acct root
t auditd.data.op PAM:session_close
t auditd.data.terminal cron
t auditd.result success
# auditd.sequence 1,640,329
t auditd.session 1173
t auditd.summary.actor.primary root
t auditd.summary.actor.secondary root
t auditd.summary.how /usr/sbin/cron
t auditd.summary.object.primary cron
t auditd.summary.object.type user-session
t beat.hostname ptcdeskfs
t beat.name ptc-desk-fs
t beat.version 6.6.0
t event.action ended-session
t event.category user-login
t event.module auditd
t event.type user_end
t host {
"name": "ptc-desk-fs"
}
t process.exe /usr/sbin/cron
t process.pid 14274
t tags beats_input_raw_event
t user.auid 0
t user.name_map.auid root
t user.name_map.uid root
t user.uid 0