Auditbeat showing logs that are filtered out


I'm trying to set log monitoring for servers but I can see logs that I have filtered out in Kibana. I want to it to only log entries where auid is between 2000 and 2099(including both). For that I have configured auditbeat with the following config.

Auditbeat config is here:

But I can also see entries with auid as "0" or "unset" as shown in the image below:

How can I make sure logs which have auid as unset or 0 are filtered out? All of my efforts in trial and error and Google searching/reading docs have been futile so far. Would really appreciate any help.

Thank you!

What does auditbeat show auditd-rules output?

How about something like

- module: auditd
  audit_rules: |
    -a never,exit -F auid<2000 -S all
    -a never,exit -F auid>2099 -S all
    -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
    -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
    -a exit,always -F arch=b64 -F euid>=1000 -S execve -k useract
    -a exit,always -F arch=b32 -F euid>=1000 -S execve -k useract

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.