Auditd module | No results found

alexus · December 18, 2017, 9:50pm

I'm trying to utilize Auditd module | Filebeat Reference [6.1] | Elastic.

My Elastic Stack environment:

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 (Maipo)
# rpm -q filebeat elasticsearch
filebeat-6.1.0-1.x86_64
elasticsearch-6.1.0-1.noarch
#

I'm trying to open [Filebeat Auditd] Audit Events dashboard and I see

No results found

My configuration:

# filebeat modules list
Enabled:
auditd
system

Disabled:
apache2
auditd
icinga
kafka
logstash
mysql
nginx
postgresql
redis
system
traefik
# cat /etc/filebeat/modules.d/auditd.yml
- module: auditd
  log:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/var/log/audit/audit.log*"]
# file /var/log/audit/audit.log*
/var/log/audit/audit.log:   ASCII text
/var/log/audit/audit.log.1: ASCII text, with very long lines
/var/log/audit/audit.log.2: ASCII text
/var/log/audit/audit.log.3: ASCII text
/var/log/audit/audit.log.4: ASCII text
# filebeat test config
Config OK
# filebeat test output
elasticsearch: http://X:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: X.X.X.X
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 6.1.0
#

after switching logging.level to debug, I can see filebeat is publishing events, yet when I check via Kibana I don't see any...

and now and than I see following WARN:

2017-12-19T10:50:01-05:00 DBG  [elasticsearch] PublishEvents: 1 events have been  published to elasticsearch in 6.884453ms.
2017-12-19T10:50:01-05:00 WARN Can not index event (status=400): {"type":"mapper_parsing_exception","reason":"Failed to parse mapping [doc]: Mapping definition for [error] has unsupported parameters:  [properties : {code={type=long}, message={norms=false, type=text}, type={ignore_above=1024, type=keyword}}]","caused_by":{"type":"mapper_parsing_exception","reason":"Mapping definition for [error] has unsupported parameters:  [properties : {code={type=long}, message={norms=false, type=text}, type={ignore_above=1024, type=keyword}}]"}}
2017-12-19T10:50:01-05:00 DBG  [memqueue] ackloop: receive ack [81: 0, 1]
2017-12-19T10:50:01-05:00 DBG  [memqueue] broker ACK events: count=1, start-seq=107, end-seq=107

2017-12-19T10:50:01-05:00 DBG  [memqueue] ackloop: return ack to broker loop:1
2017-12-19T10:50:01-05:00 DBG  [memqueue] ackloop:  done send ack

Please advise

ruflin · December 20, 2017, 12:50am

It looks like there is a conflict in the index template. I assume you used Metricbeat 5 and upgraded to 6 but changed the index name and template generation? Can you share your ES output configs?

system · January 17, 2018, 12:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.