This is my config file (I hid the output.logstash/kibana part as it's irrelevant and has sensitive data. Also, it doesn't even have audit rules - it didn't work before so I removed it)
When I start auditbeat, this is what I get:
{"level":"error","timestamp":"2020-11-11T16:17:28.970Z","caller":"instance/beat.go:951","message":"Exiting: 1 error: failed to initialize file event reader: function not implemented"}
Exiting: 1 error: failed to initialize file event reader: function not implemented
[root@server-150 elk]# auditbeat test config
Exiting: 1 error: failed to initialize file event reader: function not implemented
[root@server-150 elk]# auditbeat test output
logstash: *ip*:5044...
connection...
parse host... OK
dns lookup... OK
addresses: *ip*
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
Do you get an error when you revert back to the default yml?
Nothing is jumping out to me so I would try to go back to default and run autditbeat test config then make adjustments to your yml until you hit an error.
That's just the default config. Remove es output and put your logstash info.
But running auditbeat test config with an OK result is what you need to get to first. Your current config is not passing so need to figure out which part is breaking it.
May this can provide more info? I don't get an ok on config test with the default configuration.
2020-11-11T18:18:08.057Z INFO instance/beat.go:299 Setup Beat: auditbeat; Version: 7.9.3
2020-11-11T18:18:08.057Z INFO [index-management] idxmgmt/std.go:184 Set output.elasticsearch.index to 'auditbeat-7.9.3' as ILM is enabled.
2020-11-11T18:18:08.057Z INFO eslegclient/connection.go:99 elasticsearch url: http://localhost:9200
2020-11-11T18:18:08.058Z INFO [publisher] pipeline/module.go:113 Beat name: RATE-PS-16_75
2020-11-11T18:18:08.058Z INFO [auditd] auditd/audit_linux.go:106 auditd module is running as euid=0 on kernel=2.6.18-164.el5
2020-11-11T18:18:08.058Z INFO [auditd] auditd/audit_linux.go:133 socket_type=unicast will be used.
2020-11-11T18:18:08.058Z INFO instance/beat.go:419 auditbeat stopped.
2020-11-11T18:18:08.061Z ERROR instance/beat.go:951 Exiting: 1 error: failed to initialize file event reader: function not implemented
Exiting: 1 error: failed to initialize file event reader: function not implemented
@BenB196 I'd agree with this and unfortunately I am not able to easily test against that version.
@headtea If you are able to test on a newer OS I would start there. If you aren't able to upgrade then you can try to install Filebeats and use the Auditd module. As long as auditd is creating the logs you want in /var/log/audit/ then it should pick them up.
Do you happen to know what auditd needs to be setup with to capture this? And how to have it end up on that dashboard? it seems like this module would create a separate one
I do not know the correct auditd rules to set for that OS version, sorry. You might be capturing already and can check the /var/log/audit/* folder to see.
The dashboard is a new one but you can pick the individual visualization that you want and add it to an existing dashboard.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.