Auditbeat showing logs that are filtered out

arhue · January 22, 2019, 10:26am

Hello,

I'm trying to set log monitoring for servers but I can see logs that I have filtered out in Kibana. I want to it to only log entries where auid is between 2000 and 2099(including both). For that I have configured auditbeat with the following config.

Auditbeat config is here: https://pastebin.com/NP7ZmuK9

But I can also see entries with auid as "0" or "unset" as shown in the image below:

How can I make sure logs which have auid as unset or 0 are filtered out? All of my efforts in trial and error and Google searching/reading docs have been futile so far. Would really appreciate any help.

Thank you!

andrewkroh · January 27, 2019, 4:49pm

What does auditbeat show auditd-rules output?

How about something like

auditbeat.modules:
- module: auditd
  audit_rules: |
    -a never,exit -F auid<2000 -S all
    -a never,exit -F auid>2099 -S all
    -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
    -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
    -a exit,always -F arch=b64 -F euid>=1000 -S execve -k useract
    -a exit,always -F arch=b32 -F euid>=1000 -S execve -k useract

system · February 17, 2019, 4:49pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.