Can not get host Primary Username Tag in auditbeat


#1

I run auditbeat with "docker-compose up". On "Executions" tab on Kibana's Dashboard i try to monitor sudo commands from different users on the host machine, but eve if switch users and run sudo commands, auditbeat show that the same user is executing these commands. Why doesn't it understand which user is typing what command?
Thanks.


(Noémi Ványi) #2

sudo lets users to run commands as a different user. Most of the time as root. So if all users are running sudo ls, all commands are executed as root. See more here in the section "Command execution": https://linux.die.net/man/8/sudo
Thus, auditbeat shows that the same user executes the command.


(Andrew Kroh) #3

The summary.actor.primary value is usually mapped to the name associated with the user.auid. The auid starts out as the user's uid and never changes even if the user does sudo. This allows you to monitor what that user does even if he changes accounts.

Have you look at the auid and uid values to see if they are correct? Maybe it's just the username values that are incorrect?

In order to make the resolve_ids feature work correctly inside of Docker you'll need to mount the host's /etc/passwd and /etc/group file inside the container so that Auditbeat can resolve IDs to the correct names.