Cannot get Auditbeat add_docker_metadata to work

Hello there!

I am running an ELK Stack 7.17.6 in Docker on Linux and am trying to collect audit data with auditbeat. Everything works fine, but for some reason, no docker metadata is added to events, even if the processesor add_docker_metadata is used.

This is my elk-setup:

version: '3'
networks:
  elk:
    name: elk_network
    driver: bridge
    
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.6
    ports:
      - 127.0.0.1:9200:9200
    environment:
      discovery.type: 'single-node'
      xpack.security.enabled: 'true'
      xpack.monitoring.enabled: 'true'
      ELASTIC_PASSWORD: ${ELASTIC_PW}
      ES_MEM_LIMIT: 4g
      ES_JVM_HEAP: 512m
    networks:
      - elk
    container_name: elasticsearch
    healthcheck:
      test: ["CMD", "curl","-s" ,"-f", "http://elastic:admin@127.0.0.1:9200/_cat/health"]

  auditbeat:
    image: docker.elastic.co/beats/auditbeat:7.17.6
    container_name: auditbeat
    hostname: "auditbeat"
    user: root
    pid: host
    restart: unless-stopped
    cap_add:
      - AUDIT_CONTROL
      - AUDIT_READ
    networks:
      - elk
    volumes:
      - $PWD/auditbeat.yml:/usr/share/auditbeat/auditbeat.yml:ro
      - /var/run/docker.sock:/var/run/docker.sock
    command: ["--strict.perms=false"]
    depends_on:
      - elasticsearch
      - kibana

  kibana:
    image: docker.elastic.co/kibana/kibana:7.17.6
    volumes:
      - ./kibana.yml:/usr/share/kibana/config/kibana.yml
    ports:
      - 127.0.0.1:5601:5601
    networks:
      - elk
    container_name: kibana
    depends_on:
      elasticsearch: 
        condition: service_healthy
    restart: unless-stopped

And this is my auditbeat configuration (auditbeat.yml)

auditbeat.modules:

# Collect Linux kernel events.
- module: auditd
  resolve_ids: true
  failure_mode: silent
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
  audit_rules: |
    -a always,exit -F arch=b64 -S execve,execveat -k exec
processors:
- add_docker_metadata: ~

monitoring.enabled: true

output.elasticsearch:
  hosts: ["http://elasticsearch:9200"]
  username: elastic
  password: ${ELASTIC_PW}

setup.dashboards:
  enabled: true

setup.kibana:
  host: "http://kibana:5601"
  username: elastic
  password: ${ELASTIC_PW}

I have also tried switching the add_docker_metadata processor to:

- add_docker_metadata:
    host: "unix:///var/run/docker.sock"
    match_fields: ["system.process.cgroup.id"]
    match_pids: ["process.pid", "process.parent.pid"]
    match_source: true
    match_source_index: 4
    match_short_id: true
    cleanup_timeout: 60
    labels.dedot: false

but that did not work either.
The auditbeat.yml is also owned by root!

As I am new to ELK, I assume this could be a configuration issue.

I would really appreciate help regarding this issue, as I need docker metadata to find out in which container events are logged.

Thank you for your help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.