Hello there!
I am running an ELK Stack 7.17.6 in Docker on Linux and am trying to collect audit data with auditbeat. Everything works fine, but for some reason, no docker metadata is added to events, even if the processesor add_docker_metadata is used.
This is my elk-setup:
version: '3'
networks:
elk:
name: elk_network
driver: bridge
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.17.6
ports:
- 127.0.0.1:9200:9200
environment:
discovery.type: 'single-node'
xpack.security.enabled: 'true'
xpack.monitoring.enabled: 'true'
ELASTIC_PASSWORD: ${ELASTIC_PW}
ES_MEM_LIMIT: 4g
ES_JVM_HEAP: 512m
networks:
- elk
container_name: elasticsearch
healthcheck:
test: ["CMD", "curl","-s" ,"-f", "http://elastic:admin@127.0.0.1:9200/_cat/health"]
auditbeat:
image: docker.elastic.co/beats/auditbeat:7.17.6
container_name: auditbeat
hostname: "auditbeat"
user: root
pid: host
restart: unless-stopped
cap_add:
- AUDIT_CONTROL
- AUDIT_READ
networks:
- elk
volumes:
- $PWD/auditbeat.yml:/usr/share/auditbeat/auditbeat.yml:ro
- /var/run/docker.sock:/var/run/docker.sock
command: ["--strict.perms=false"]
depends_on:
- elasticsearch
- kibana
kibana:
image: docker.elastic.co/kibana/kibana:7.17.6
volumes:
- ./kibana.yml:/usr/share/kibana/config/kibana.yml
ports:
- 127.0.0.1:5601:5601
networks:
- elk
container_name: kibana
depends_on:
elasticsearch:
condition: service_healthy
restart: unless-stopped
And this is my auditbeat configuration (auditbeat.yml)
auditbeat.modules:
# Collect Linux kernel events.
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
audit_rules: |
-a always,exit -F arch=b64 -S execve,execveat -k exec
processors:
- add_docker_metadata: ~
monitoring.enabled: true
output.elasticsearch:
hosts: ["http://elasticsearch:9200"]
username: elastic
password: ${ELASTIC_PW}
setup.dashboards:
enabled: true
setup.kibana:
host: "http://kibana:5601"
username: elastic
password: ${ELASTIC_PW}
I have also tried switching the add_docker_metadata processor to:
- add_docker_metadata:
host: "unix:///var/run/docker.sock"
match_fields: ["system.process.cgroup.id"]
match_pids: ["process.pid", "process.parent.pid"]
match_source: true
match_source_index: 4
match_short_id: true
cleanup_timeout: 60
labels.dedot: false
but that did not work either.
The auditbeat.yml is also owned by root!
As I am new to ELK, I assume this could be a configuration issue.
I would really appreciate help regarding this issue, as I need docker metadata to find out in which container events are logged.
Thank you for your help!