Auditbeat showing logs that are filtered out

arhue · January 22, 2019, 10:26am

Hello,

I'm trying to set log monitoring for servers but I can see logs that I have filtered out in Kibana. I want to it to only log entries where auid is between 2000 and 2099(including both). For that I have configured auditbeat with the following config.

Auditbeat config is here: https://pastebin.com/NP7ZmuK9

But I can also see entries with auid as "0" or "unset" as shown in the image below:

How can I make sure logs which have auid as unset or 0 are filtered out? All of my efforts in trial and error and Google searching/reading docs have been futile so far. Would really appreciate any help.

Thank you!

andrewkroh · January 27, 2019, 4:49pm

What does auditbeat show auditd-rules output?

How about something like

auditbeat.modules:
- module: auditd
  audit_rules: |
    -a never,exit -F auid<2000 -S all
    -a never,exit -F auid>2099 -S all
    -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
    -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
    -a exit,always -F arch=b64 -F euid>=1000 -S execve -k useract
    -a exit,always -F arch=b32 -F euid>=1000 -S execve -k useract

Topic		Replies	Views
Auditbeat setting unspecified rule Beats auditbeat	10	1245	December 19, 2018
Auditbeat only sending metrics, not events Beats auditbeat	1	567	February 5, 2020
Auditbeat issue - custom audit rule not working Beats auditbeat	2	554	April 5, 2019
Auid value not set properly Beats auditbeat	2	1189	April 22, 2019
Needs to drop audit beat data Logstash	2	216	September 22, 2022

Auditbeat showing logs that are filtered out

Related topics